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THE DHS INFRASTRUCTURE PROTECTION 
DIVISION; PUBLIC-PRIVATE PARTNERSHIPS 
TO SECURE CRITICAL INFRASTRUCTURES 


Wednesday, April 21, 2004 

House of Representatives, 
Subcommittees on Infrastructure 
and Border Security, 
and 

Subcommittee on Cybersecurity, Science and 
Research and Development, 

Select Committee on Homeland Security, 

Washington, DC. 

The subcommittees met, pursuant to call, at 10:34 a.m., in Room 
2212, Rayburn House Office Building, Hon. Mac THornberry chair- 
man of the Cybersecurity subcommittee] presiding. 

Present: Representatives Thornberry, Camp, Cox, Lofgren, 
Sanchez, Dicks, Cardin, Jackson-Lee, Christensen, Etheridge, 
Lucas, Chandler and Turner. 

Mr. Thornberry. [Presiding.] This hearing will come to order. I 
appreciate the witnesses and the members who are here. There are 
obviously several substantial hearings going on at the same time. 
I know our witnesses will understand as people come and go. As 
you know, this is a joint hearing between the Subcommittee on 
Cybersecurity, Science and Research and Development, and the 
Subcommittee on Infrastructure and Border Security. Chairman 
Camp and I will be sharing the gavel. 

Since we have two panels and two subcommittees today, I ask 
unanimous consent that all members submit opening statements 
for the record so that we can move ahead. Without objection, it is 
so ordered. I would also request our witnesses to work with us on 
that. I think we are going to have votes come at about 12:30 or 
1:00. If you could work with us on summarizing your statements, 
then I would appreciate it. Without objection your full written 
statements will be made a part of the record. 

Prepared Statement of the Honorable Christopher Cox, a Representative in 

Congress, From the State of California, and Chairman, Select Committee 

on Homeland Security 

Thank you Chairman Camp and Chairman Thornberry for holding this important 
hearing. I join you in welcoming our witnesses today, who will help us explore the 
Department’s relationship with various critical infrastructure sectors. 

I want to take this opportunity to commend Secretary Ridge, Under Secretary 
Libutti, Assistant Secretary Liscouski, and the men and women of the Information 
Analysis and Infrastructure Protection (IAIP) Directorate for their dedication and 
accomplishments in this critical area. They have had to build this Directorate from 
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scratch, while facing both enormous expectations in a time of heightened alert and 
unrelenting scrutiny. IAIP gets a lot of attention because it is truly the nerve center 
of the great, new Department. IAIP is at the heart of the Department’s core mission 
to prevent terrorism and protect the infrastructure that is vital to the security and 
economic well-being of our Nation. 

The Homeland Security Act of 2002 requires IAIP to integrate information from 
various public and private sources to form a comprehensive picture of the terrorist 
threats we face, and to map this assessment against the vulnerabilities of our crit- 
ical infrastructure to produce a prioritized and risk-based plan for securing our 
homeland. This is not a one-time task, but a continuous responsibility, in a dynamic 
and constantly changing environment. We have no choice but to continue to press 
IAIP to build the analytic capabilities necessary to carry out its mandate under the 
Homeland Security Act. Risk-based assessments produced by IAIP must guide both 
the Department’s overall homeland security strategy and the allocation of resources 
to priority areas. 

The President has exerted strong leadership in the effort to secure our critical in- 
frastructure. He has issued a national strategy, as well as a Homeland Security 
Presidential Directive (HSPD-7). To secure our critical infrastructure both docu- 
ments envision a strong, sustained public-private partnership. Eighty-five percent of 
our critical infrastructure is owned by the private sector, and it is appropriate that 
the private sector take a lead role in protecting these assets, with assistance — in- 
cluding the provision of actionable threat-based information — and oversight by the 
Federal government. 

The President’s fiscal year 2005 budget request includes $51.6 million for IAIP’s 
“outreach and partnership” program, a 27-percent increase over the previous year. 
This increase is a strong indication of his commitment to enhancing the public-pri- 
vate partnership to protect critical infrastructure. Among other things, this program 
is intended to develop and coordinate strategic relationships between public and pri- 
vate entities for national planning, outreach and awareness, information sharing, 
and protective actions. 

One key manifestation of the public-private partnership envisioned by the Home- 
land Security Act is the continued operation of — and in some cases, the creation of 
new — Information Sharing and Analysis Centers (ISA© for critical infrastructure 
sectors. Part of this hearing will focus on obtaining information from the General 
Accounting Office on its soon-to-be-completed review of the ISAC model, and explor- 
ing how this model can be enhanced. 

As we continue to work with DHS to enhance the public-private partnership, we 
must resist efforts to make DHS the regulator of more and more sectors of our econ- 
omy. The Homeland Security Act clearly bars any such role for DHS, and we should 
alter that formula only with great caution. I see no reason to do so now or for the 
foreseeable future. 

Mr. Chairmen, we share the bold vision of a safer America laid out in the Home- 
land Security Act, the national strategies, and HSPD-7. We are prepared to provide 
rigorous constructive oversight of critical infrastructure protection activities and to 
act as full partners with the Department, other government entities, and the private 
sector in helping realize that vision. 

Thank you, Mr. Chairmen, and I yield back the balance of my time. 

Prepared Opening Statement of the Honorable Sheila Jackson-Lee, a 
Representative in Congress From the State of Texas 

Mr. Chairman, Thank you for convening this hearing on a subject that is extraor- 
dinarily important to the safety of the American public. I would like to welcome As- 
sistant Secretary Liscouski back, as well as this distinguished panel. It seems that 
indeed the Department of Homeland Security is making progress in this area — put- 
ting people and facilities in place to protect our nation’s critical infrastructure. 

However, a chain is only as strong as its weakest link. For example, say I have 
a dozen chemical plants in my District in Houston. If we spend billions of dollars 
and five years and make 11 of them absolutely invulnerable, but we leave just one 
looking like the ones we all saw on 60 minutes last fall, with unlocked gates, absent 
guards, and unprotected tanks of deadly gas — what have we accomplished? A would- 
be terrorist wanting to attack Houston would just have to spend an extra day plot- 
ting his attack — going through the phone book and driving by each chemical plant 
listed. It is essential that that we plug ALL of the holes. We need to know where 
our vulnerabilities are, and develop a comprehensive system to address those 
vulnerabilities. 

That is why many of us have been standing behind the Ranking Member of this 
Committee, urging the DHS to complete a thorough risk assessment of our nation’s 
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critical infrastructure. That is why we need to have clear performance metrics for 
critical infrastructure protection. That is why we need seamless communication be- 
tween federal and state governments and the private sector. To get those things 
done, we will need a fully staffed and functioning Office of Infrastructure Protection. 
Until then, we are all at risk. 

Today we should hear the progress being made within DHS and in their work in 
the field. Do they have the funds, the expertise, and the authority they need to get 
the job done? Is those in the private sector willing partners? It will also be impor- 
tant to hear whether stakeholders outside the DHS are getting the guidance they 
need. 

I look forward to the discussion, and to working together we these two subcommit- 
tees to ensure that we keep pushing the process forward. 

So with that, let me turn directly to our witnesses. On our first 
panel, we have two distinguished witnesses. The first is Mr. Robert 
Liscouski, the Assistant Secretary for Infrastructure Protection 
from the Department of Homeland Security. He has been with us 
a number of times before. Secretary Liscouski, thank you for being 
here. You are recognized for a summary of your opening statement. 

STATEMENT OF THE HONORABLE ROBERT LISCOUSKI, 

ASSISTANT SECRETARY, INFRASTRUCTURE PROTECTION, 

DEPARTMENT OF HOMELAND SECURITY 

Mr. Liscouski. Mr. Chairman, thank you for the opportunity this 
morning. It is always a pleasure to appear before your committees. 
I thank you again for your recognition of the importance of this 
topic. I do have an oral statement, but I will try to go through this 
as quickly as I can in recognition of our time constraints. 

Since the inception of DHS, we have been working very strongly 
to develop partnerships with the private sector. We have made sig- 
nificant progress in evaluating and securing our greatest 
vulnerabilities. In order for this public and private partnership ef- 
fort to succeed, we recognize that we have to increase our efforts 
at information sharing. To this end, we are making very good 
progress. Some would call it exceptional progress in expanding our 
information-sharing capabilities with respect to all types of infor- 
mation that must be shared, including vulnerability information, 
exploits, threats, incidents and best practices, as well as early 
warnings. 

Our critical infrastructure sectors are very diverse, as you well 
know. Consequently, the level of collaboration and coordination 
with the Federal Government and each other within the context of 
the private sector varies widely between the sectors. We recognize 
these differences, and IAIP has developed a very facilitative process 
to work in partnership with the Federal sector-specific agencies as 
defined in HSPD-7, and to help sectors organize themselves as in- 
clusively as possible to identify or construct the sector leadership 
entity for critical infrastructure protection. 

At the operational level, IAIP works daily on a periodic and situ- 
ational basis with ISACs, sharing information on threats and de- 
veloping suggested protective measures and alerts and warnings. 
As you know, there are currently 14 ISACs spanning most of the 
HSPD-7 critical infrastructures. The ISACs serve as our gateway 
between DHS and the industry for tooling information sharing and 
provide the industry with information as an information clearing- 
house for each sector. 
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Through up-to-date distribution lists maintained by the ISACs, 
DHS is able to quickly disseminate threat warnings to identify en- 
tities within each sector. To a lesser degree, however, ISACs and 
their members provide DHS with incident and suspicious activity. 
This has become very much more of a robust information-sharing 
capability. This information holds for us the potential for com- 
pleting the situational awareness picture, together with the intel- 
ligence community and law enforcement, which is vital for us to 
understand the threats that we are facing. 

My organization is responsible for maintaining and enhancing 
those relationships with the private sector through the ISACs and 
through other efforts. Our staff actively participates in ISAC-re- 
lated advisory groups, committees, task forces and working groups 
to maintain day-to-day contact with those ISACs. 

In protecting our country, we need to address the protection from 
a holistic perspective, not one which is artificially divided between 
a physical and a cyber-world. On January 28 of this year, the De- 
partment of Homeland Security, through the US-CERT, unveiled 
our national cyber security alert system, which is an operational 
system to develop and deliver targeted, timely and actionable infor- 
mation to Americans to secure their computer systems. We strive 
to make sure that the information provided is both understandable 
to all computer users, technical and non-technical alike, and re- 
flects the broad usage of the Internet in today’s society. 

Our national strategy for cyber-security acknowledged one of the 
most important constituencies is the private sector. It is estimated 
that 85 percent of our critical infrastructure is, of course, owned 
and operated by the private sector, and the technology developed 
by the technology industry continues to fuel the growth and the 
evolution of the Internet, as well as obviously being ridiculously 
embedded in our business processes. In December 2003, the Na- 
tional Cyber Security Division co-hosted our first national cyber se- 
curity summit, which allowed the Department to work side by side 
with leaders from industry to address key cyber-security issues fac- 
ing the nation. 

Other partnership efforts with the private sector include our Na- 
tional Cyber Security Alliance and Stay Safe Online, which is a 
public-private organization created to educate home users and 
small businesses on cyber security best practices. 

Let me just take a moment to talk about the ISACs. The ISACs 
have emerged over the last several years as the primary conduit 
for critical information sharing between the Federal government 
and our infrastructures and key resources throughout the indus- 
tries. The ISACs continue to evolve, although they began with a 
focus on cyber back in the PDD-63 days. They now include phys- 
ical vulnerabilities as well. This emphasis has really been gaining 
momentum since September 11. This just demonstrates the rec- 
ognition that the ISACs have matured, as well as our strategy to 
include our physical and cyber strategies are interlinked. 

The blackout of August 14 last year is a good example of the co- 
operation and effective communication between IAIP and the in- 
dustry, and specifically the electric power industry through the 
electric industries electric sector ISAC. At the time of the power 
outage, the electric sector ISAC had been well established and the 
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lines of communication between the ISAC and IAIP were in place. 
Shortly after the blackout, the IAIP electric sector specialists were 
on the phone with the ES ISAC to establish a preliminary estimate 
of the extent of the outage to determine how far it had spread and 
to what extent.Following the discussions with the ISAC, we were 
able to make an assessment that the outage did not appear to have 
been caused by terrorist activity, and this information was quickly 
passed on to the Secretary and to the White House. 

Every couple of hours throughout the night and somewhat less 
frequently over the next few days, the ES ISAC conducted con- 
ference calls with the industry representatives to assess restoration 
efforts, the results of which were daily summarized in situation re- 
ports that were provided to senior officials within DHS and the 
White House. 

Since the creation of DHS, we have been leveraging newly inte- 
grated capabilities in the Department to reach out to the private 
sector. For example, in coordination with the U.S. Secret Service, 
shortly after the creation of DHS a financial services ISAC exercise 
was held in New York. The event was well received by the financial 
sector participants. We built on that effort and we are working 
with state homeland security advisers to continually put out more 
tabletop exercises. DHS has recently conducted exercises in Chi- 
cago, San Francisco and Houston, and we are currently conducting 
one in St. Petersburg, Florida with the FS ISAC. 

The Administration and Congress have provided additional tools 
to enhance our information-sharing capabilities with the ISAC. I 
will just go through that very quickly. As the primary operational 
interface with the nation’s critical infrastructures, my Infrastruc- 
ture Coordination Division, or ICD, continues to pass timely and 
substantive threat information to the private sector. We regularly 
hold daily, sometimes weekly teleconferences. Sector analysts pro- 
vide critical infrastructures and ISACs with threat updates on ter- 
rorist activities potentially affecting their systems and facilities. 

In addition, the ICD sector analysts routinely assist our intel- 
ligence analysts from IA in preparing the warnings that identify 
and communicate infrastructure-specific threats and trends. The 
Critical Infrastructure Information Act was recently enacted at the 
request of the private sector, and provided implementing regula- 
tions to private industry with assurances that critical infrastruc- 
ture information they voluntarily share with the government will 
be protected from release to the public from use in civil litigation. 

The PCII program enables the Department to receive critical in- 
formation that would not have been previously available to the gov- 
ernment, thereby allowing a better understanding of threats and 
vulnerabilities and the security of our nation’s critical infrastruc- 
ture. 

We recognize the need for better coordination for information 
flow in the private sector and we have established consequently the 
National Infrastructure Coordination Center under the Infrastruc- 
ture Coordination Division. Now in its third month of official oper- 
ation, the NICC provides operational awareness of the nation’s crit- 
ical infrastructures and key resources in collaboration with both 
private partners and our counterpart government agencies. 
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Another key component of our strategy is connectivity. With the 
announcement of the Homeland Security Information Network, 
HSIN, DHS provides a new capability for enhancing many of the 
critical infrastructures ISACs’ capabilities to communicate with 
their sectors. The system provides a secure encrypted backbone ca- 
pability for participants to communicate sensitive, but unclassified 
information with DHS, with each other, and other communities of 
interest which may have information useful to them. It provides a 
collaborative feature that allows government and industry partici- 
pants to work together in real time on problem solving. It has an 
alerting and notification feature to disseminate information to 
members of a sector or across sectors. 

The system provides a capability for sectors to interact with each 
other as necessity dictates. The features within that system pro- 
vides for basic and common communication service among ISACs. 
I would be happy to discuss that further. 

Let me just conclude by saying that in today’s threat environ- 
ment where threats and vulnerabilities are continuously evolving 
in both physical and cyber space, we need critical infrastructure 
sectors’ coordination and cooperation and expertise and creativity 
to find the most effective, sustainable, consistent and measurable 
ways to protect their sectors. The partnerships we have developed 
and will continue to develop will improve upon the relationships we 
have, but they are absolutely key to the success of our goal to pro- 
tect our nation and its critical infrastructure. 

Mr. Chairman, thank you. 

[The statement of Mr. Liscouski follows:] 

Prepared Statement of the Honorable Robert Liscouski 

Good morning, Chairman Thornberry, Chairman Camp, and distinguished mem- 
bers of the subcommittees. I am pleased to appear before you again today to discuss 
Information Sharing between the Department of Homeland Security and Critical In- 
frastructure Sectors. 

The recent bombings in Madrid confirm that terrorists are willing to exploit a 
wide range of infrastructure vulnerabilities. That is why we must continue to be 
vigilant and flexible in our approach to infrastructure protection. We in the Informa- 
tion Analysis and Infrastructure Protection Directorate (IAIP) take that mandate to 
heart in our collective efforts and activities to protect the Nation. 

Since the inception of DHS in 2003, working in a continuing partnership with pri- 
vate industry, we have made significant progress in evaluating and securing our 
greatest vulnerabilities. In order for this public-private partnership effort to suc- 
ceed, increased information sharing is essential. To this end, we are making excep- 
tional progress in expanding our information sharing capabilities with respect to all 
of the types of information that must be shared including vulnerability information, 
exploits, threats, incidents, best practices, and early warnings. 

Today I will discuss with you an overview of the current level of relationships and 
information sharing we have with private industry, illustrating accomplishments 
with specific examples. Then I will describe recent initiatives we have implemented 
to enhance those relationships. Finally, I will discuss some new initiatives we are 
planning for later this year. 

DHS and Private Sector Relationships 

Any effective relationship with private industry requires engagement at all levels. 
IAIP works hard to maintain a comprehensive relationship with private industry, 
specifically focusing on the critical infrastructure sectors and the owners and opera- 
tors of key assets. This relationship operates on three levels: (1) policy and strategy; 
(2) planning and implementation; and (3) operational execution. 

Policy and Strategy 

IAIP serves as the executive agent for two Presidential advisory committees: The 
National Infrastructure Advisory Council (NIAC) and the National Security Tele- 
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communications Advisory Committee (NSTAC). Both bodies provide policy and stra- 
tegic advice to the President on enhancing public-private partnerships and on spe- 
cific strategic issues related to critical infrastructure protection. 

The NSTAC is chartered to provide industry-based advice and expertise through 
the Secretary of Homeland Security to the President on issues and problems related 
to implementing national security and emergency preparedness (NS/EP) tele- 
communications policy. It is composed of up to 30 industry chief executives rep- 
resenting the major communications and network service providers and information 
technology, finance, and aerospace companies. Since its inception, the NSTAC has 
addressed a wide range of policy and technical issues regarding telecommunications, 
information systems, information assurance, critical infrastructure protection, and 
other NS/EP communications concerns. 

The NIAC, through the Secretary of Homeland Security, provides the President 
with expert advice on the security of information systems for critical infrastructure 
supporting other sectors of the economy: banking and finance, transportation, en- 
ergy, manufacturing, and emergency government services. Because information and 
physical security are inextricably linked within many critical infrastructure sectors, 
the Council has addressed issues that cover both. The NIAC is charged to enhance 
the partnership of the public and private sectors, propose and develop ways to en- 
courage private industry to perform periodic risk assessments, foster improved co- 
operation among the Information Sharing and Analysis Centers (ISACs), DHS, and 
other Federal Government entities; and advise sector specific agencies with critical 
infrastructure responsibilities, sector coordinators, DHS, and the ISACs. The Coun- 
cil includes chief executives from industry, academia and State and local govern- 
ment. 

Both the NSTAC and the NIAC work closely with the Administration and IAIP 
to identify key policy issues of importance to critical infrastructure protection. 

Planning and Implementation 

At the planning and implementation level, IAIP works with cross-sector bodies, 
such as the Partnership for Critical Infrastructure Security (PCIS). The PCIS Board 
consists of all the sector leadership entities that comprise the “sector coordination 
mechanismfs]” referred to in Homeland Security Presidential Directive 7 (HSPD-7). 
These leadership entities have been previously affirmed by the sector specific agen- 
cies. Private industry established the PCIS as a forum to partner across sectors and 
with the Federal Government to address critical infrastructure. 

IAIP also works with the ISAC Council, whose members represent many of the 
ISACs established in infrastructure sectors. Private industry, on its own volition, or- 
ganized this forum to share common issues and best practices, and to find common 
solutions. ISACs are established voluntarily by industry sectors to share information 
and analysis for alerts, warnings and advisories, and act as a communication vehicle 
for best practices and other security information tailored for each sector. 

As a point of entry into the sector, sector leadership entities have the mission of 
facilitating sector strategy and policy as well as coordinating a wide range of critical 
infrastructure planning activities, that include national planning involving critical 
infrastructures, outreach and awareness, sector vulnerability assessments, require- 
ments for sector information sharing, identifying sector-wide best practices, acting 
as the sector’s point of contact with the Federal Government at infrastructure pro- 
tection meetings, and serving as the strategic communication point back into the 
sector and to its members from the Federal Government. 

The critical infrastructure sectors are very diverse in their composition, culture, 
and operations. Consequently, their level of collaboration and coordination with the 
Federal Government, and with each other, varies widely between sectors. Recog- 
nizing these differences, IAIP has developed a facilitative process to work in part- 
nership with the Federal sector-specific agencies (as defined in HSPD-7) to help the 
sectors organize themselves as inclusively as possible to identify or construct the 
“sector leadership entity” for critical infrastructure protection. This leadership entity 
could be an individual, entity or group. Examples of how IAIP actively engages in 
this sector development activity can be found today in the Agriculture and Food sec- 
tors (in partnership with HHS and USDA), the Public Health sector (in cooperation 
with HHS), the Postal and Shipping sector, the Water sector (in cooperation with 
EPA), and the Emergency Services sector. 

IAIP leadership met frequently with both the PCIS and the ISAC Council 
throughout the last year, and continues to meet with them, to understand and gain 
deeper knowledge of sector issues from the private sector representatives on various 
aspects of infrastructure protection. Out of one of the briefings provided by IAIP to 
the ISAC Council, the Council, on its own initiative, developed a series of white pa- 
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pers on information sharing for its own use in strategic planning, and shared them 
with IAIP. 

With the support of IAIP, the PCIS Board and the ISAC Council began holding 
joint meetings in December, 2003. They have worked jointly and independently on 
various initiatives. In joint sessions, DHS has provided comprehensive briefings on 
its initiatives and critical issues, which have led the joint PCIS/ISAC Council to 
begin identifying specific activities, tools/methodologies development, and programs 
undertaken by each specific sector and then shared across sectors as best practices 
to improve each sector’s security. This study has helped each sector identify gaps 
as they compare their activities. This joint body represents a major forum for joint 
communication with the critical infrastructure sectors. 

IAIP has embarked upon national level planning efforts that will involve the pri- 
vate sector in the development and/or implementation of the plan. Under HSPD- 
7, IAIP has embarked upon the development of the National Infrastructure Protec- 
tion Plan (NIPP). This National Plan will cover the 13 critical infrastructure sectors 
and four categories of Key Resources. Sector-Specific Agencies both internal to and 
external to DHS will have the lead for drafting these 17 sector-specific plans, which 
will be integrated into the National Plan. The public-private partnership in this 
Plan will be realized through engaging the private sector in the planning process 
as represented by their ISACs, sector coordinators, and other recognized sector 
stakeholders so that their knowledge and information will be reflected in the sub- 
stance of the Plan itself. 

In a second national planning effort under HSPD-5, DHS’s Office of Headquarters 
Integration Staff, along with the Department’s directorates, is developing the Na- 
tional Response Plan. For the first time, the National Response Plan, which inte- 
grates the various federal response plans, will include the private sector as an es- 
sential element in preparedness, response, and recovery. 

Relationships must be maintained at this level in order to assure coordinated and 
integrated plans and programs that utilize resources optimally and to assure en- 
gagement of operational leadership within the private industry for mutual planning 
and goals setting. 

Operational Execution 

At the operational level, IAIP works on daily, periodic and situational basis with 
ISACs sharing information on threats, developing suggested protective actions, and 
alert and warnings. There are currently 14 ISACs spanning most of the HSPD-7 
critical infrastructures. ISACs serve as a gateway between DHS and the industry 
for two-way information sharing and provide the industry with an information clear- 
inghouse for each sector. Through the up-to-date distribution lists maintained by the 
ISACs, DHS is able to quickly disseminate threat warnings to identified entities 
within each sector. 

To a lesser degree, ISACs and their members provide DHS with incident and sus- 
picious activity information. This type of information holds the potential for com- 
pleting the situational awareness picture (together with Intelligence Community 
and Law Enforcement information) concerning possible threats to the nation’s crit- 
ical infrastructures. In my organization, the Infrastructure Coordination Division 
(ICD) and National Communications System (NCS) are the two IAIP divisions re- 
sponsible for maintaining and enhancing relationships with the private sector 
through their ISACs, the latter with specific responsibility for the telecommuni- 
cations sector. Staff from both divisions participate actively in ISAC related Advi- 
sory Groups, Committees, Task Forces and Working Groups and maintain day-to- 
day contact with the ISACs. 

In addition, the Protective Security Division (PSD), also within the Office of Infra- 
structure Protection, has worked with owners and operators of specific categories of 
critical assets to develop and tailor protective practices for these assets. An example 
of this type of product is the guidelines for protecting refineries that the oil industry 
published last year. This type of work complements the “buffer zone” approach for 
communities that the division has developed and deployed over the last fourteen 
months. In addition, PSD is deploying regional/ field security representatives to 
work directly with the owners and operators of critical infrastructure facilities and 
community leaders to address protective measures. Together, these practices con- 
stitute a holistic approach to infrastructure protection, looking at the activity from 
a “whole systems” perspective, and providing for a “layered” defense for the nation’s 
critical assets. 

In support of integrated operations, DHS’s predecessor agencies have granted se- 
curity clearances to industry representatives when the purpose is to help the Fed- 
eral Government maintain and enhance our national security, which includes crit- 
ical infrastructure protection. Clearances historically have been given to individuals 
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who have unique expertise, not available in government, on critical infrastructure 
protection, operations, or technology or who must take specific protective actions in 
response to classified information. In the past, IAIP sector analysts have specifically 
relied on ISAC and industry experts, generally with secret-level clearances, to help 
them assess sector threat, risk, and vulnerability information. In particular, these 
industry representatives work closely with DHS analysts to ensure that govern- 
ment-generated warning products (e.g. Advisories and Information Bulletins), when 
declassified to permit broad industry distribution, still contain information that pro- 
vides “value added” actionable intelligence when disseminated to sector members. 
DHS is continuing to refine and working to accelerate the process for granting secu- 
rity clearances to key sector individuals to assist DHS, and ultimately their own sec- 
tors, regarding the production and receipt of timely and actionable threat informa- 
tion. 

In February, 2003, President Bush issued the National Strategy to Secure Cyber- 
space (“the Strategy”). DHS recognized that in order to meet many of the mandates 
in the Strategy and other objectives addressing greater national cyber security, we 
needed to create an operational mechanism for building a cyber security readiness 
and response system. As such, through an initial partnership with the CERT Co- 
ordination Center (CERT/CC) at Carnegie Mellon University, we created the U.S. 
Computer Emergency Readiness Team, or US-CERT. Through that partnership, 
US-CERT is able to leverage, rather than duplicate, existing capabilities and accel- 
erate national cyber security efforts. US-CERT provides a national coordination 
center that links public and private response capabilities to facilitate information 
sharing across all infrastructure sectors and to help protect and maintain the con- 
tinuity of our Nation’s cyber infrastructure. The overarching approach to this task 
is to facilitate and implement systemic global and domestic coordination of deter- 
rence from, preparation for, defense against, response to, and recovery from, cyber 
incidents and attacks across the United States, as well as the cyber consequences 
of physical attacks. To this end, US-CERT is building a cyber watch and warning 
capability, launching the US-CERT Partnership Program to build situational 
awareness and cooperation, and coordinating with U.S. Government agencies and 
the private sector to deter, prevent, respond to and recover from cyber — and phys- 
ical — attacks. Through its Internet portal, US-CERT is a crucial component of — and 
a distribution tool for — our cyber security awareness activities. 

On January 28, 2004, the Department of Homeland Security through US-CERT 
unveiled the National Cyber Alert System, an operational system developed to de- 
liver targeted, timely and actionable information to Americans to secure their com- 
puter systems. As the U.S. Government, we have a responsibility to alert the public 
of imminent threats and to provide protective measures when we can, or least pro- 
vide the information necessary for the public to protect their systems. Furthermore, 
it is also important to inform the public about the true nature of a given incident, 
what the facts are, and what steps they can and should take to address the problem. 
The offerings of the National Cyber Alert System provide that kind of information, 
we have already issued several alerts and the initial products in a periodic series 
of “best practices” and “how-to” guidance messages. We strive to make sure the in- 
formation provided is understandable to all computer users, technical and non-tech- 
nical, and reflects the broad usage of the Internet in today’s society. As we increase 
our outreach, the National Cyber Alert System is looking at other partners to dis- 
tribute information to as many Americans as possible. 

As the strategy acknowledged, one of our most important constituencies is the pri- 
vate sector. It is estimated that eighty-five percent of America’s critical infrastruc- 
ture is owned and operated by private companies, and technology developed by in- 
dustry continues to fuel the growth and evolution of the Internet. In December 
2003, the National Cyber Security Division (NCSD) co-hosted the first National 
Cyber Security Summit in Santa Clara, California with the Information Technology 
Association of America, TechNet, the Business Software Alliance, and the U.S. 
Chamber of Commerce. This event was designed to energize the public and private 
sectors to implement the Strategy. The Summit allowed the Department of Home- 
land Security to work side-by-side with leaders from industry to address the key 
cyber security issues facing the Nation. Five interest areas were established to focus 
specifically in the areas of: 

• Increasing awareness 

• Cyber security early warning 

• Best practices for information security corporate governance 

• Technical standards and common criteria 

• Security across the software development lifecycle 

Perhaps most importantly, the Summit served as a call to action. It represented 
a logical transition point from developing a national strategy to energizing the pub- 
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lie-private partnership to implement concrete, measurable actions to improve the se- 
curity of America’s cyber systems. Over the past few weeks, summit participants 
have put forward options for potential solutions in each of these key areas for both 
the public and private sector. We are excited that the private sector is showing such 
initiative and we are committed to working together. 

DHS is also a sponsor of the National Cyber Security Alliance (NCSA) and 
StaySafeOnline, a public-private organization created to educate home users and 
small businesses on cyber security best practices. Other NCSA sponsors include: 
The Federal Trade Commission, AT&T, America Online, Computer Associates, 
ITAA, Network Associates, and Symantec. DHS is providing matching funds to ex- 
pand the NCSA end-user outreach campaign, which will include a Fall 2004 Public 
Service Campaign to increase awareness among Americans about key cyber security 
issues. 

In operational relationships of this kind, adding value, efficiency and customer 
orientation is the key to building trust and sustaining relationships. IAIP has 
worked hard to enhance its capabilities in this regard over the last year with these 
activities. These relationships represent on-going efforts that are essential for effi- 
cient planning and implementation coordination. The long term commitment of com- 
munications between the federal government and the private entities is an essential 
element of building successful public-private partnerships. 

Private Public Partnerships Information Sharing 

Adequate, actionable information is an essential enabler for all facets of critical 
infrastructure protection, from deterrence to response. Congress recognized its im- 
portance in the new tools it provided to DHS to obtain and protect, analyze and dis- 
seminate information from a wide variety of sources. Private industry owners and 
operators of critical infrastructure have long understood their responsibility for as- 
suring their operations under a multitude of circumstances ranging from accidents 
to natural disasters. They now must add terrorism to the list of natural and man- 
made hazards they must consider and accommodate in their investments and re- 
sponse preparedness. The Federal government alone cannot protect this nation’s ex- 
pansive and widely distributed national infrastructures. IAIP needs private industry 
to be fully engaged in our national CIP program. Consequently, two-way informa- 
tion sharing with the owners and operators of critical infrastructures remains one 
of our highest priority public private partnerships. 

Current Information Sharing Initiatives 

The Information Sharing and Analysis Center (ISAC) has emerged over the last 
several years as a primary conduit for information sharing between the Federal gov- 
ernment and many critical infrastructures and key resource industries. Each ISAC 
structure and operations tends to reflect the culture, structure and operating proc- 
esses of their sector. The ISACs continue to evolve. They began with a focus on 
cyber security vulnerabilities and incidents. Since September 11, 2001, most share 
information on physical incidents as well. 

ISACs have widely varying levels of maturity and capability. ISACs have served 
a valuable role in private partnership information sharing. The purpose of the ISAC 
is to provide an efficient conduit for dissemination, sharing and communications of 
indications, warnings, and advisories related to potential threats vulnerabilities and 
incident data. 

The Northeast Blackout of last year is a good example of cooperation and effective 
communications between IAIP and the Electric Power industry through the indus- 
try’s Electric Sector — ISAC. At the time of the power outage the ES-ISAC had al- 
ready been well established and lines of communication between the ISAC and IAIP 
were in place. By approximately 4:30 p.m. EDT, 15 minutes after the initiation of 
the power outage, the IAIP’s electric sector specialist was on the phone with the 
ES-ISAC to establish a preliminary estimate of the extent of the outage and to de- 
termine whether it had ceased to spread. Following discussions with the ISAC, we 
were able to make an assessment that the outage did not appear to have been 
caused by terrorist activity. This information was immediately elevated to Secretary 
Ridge and to the White House. 

Every couple of hours throughout the night, and somewhat less frequently over 
the next several days, the ES-ISAC conducted conference calls with industry rep- 
resentatives to assess restoration efforts. These calls were summarized in a Situa- 
tion Report that was provided to senior officials within DHS and to each IAIP Infra- 
structure Sector lead for cross-infrastructure sharing purposes (since every sector 
depends upon electricity). In addition, the ES-ISAC structure was used effectively 
to share information with other industry sectors that are dependent on electricity. 
For example, on the evening of the power outage, the IAIP electric power staff ad- 
dressed a conference call of the Financial Sector-lSAC and was able (based on ear- 
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lier ES-ISAC inputs) to estimate the duration of the interruption of power supplies 
to New York City. In summary, the August 14th power outage demonstrated that 
the ISACs are an effective mechanism for receiving information from the private 
sector as well as for providing information to the private sector during a crisis. 

A long standing example of the utility of ISACs is the National Communications 
Center Telecommunications-ISAC, which is the primary DHS interface with the Pri- 
vate Sector for the telecommunications infrastructure. Built on an existing informa- 
tion sharing body, the NCC Telecom-ISAC is grounded by well-established trust. 
This mature, close relationship with industry is Government-supported, which facili- 
tates the ISAC’s ability to provide a value-added service, reaching out to the entire 
sector. This has provided a great role model for other ISACs. 

In the past, the Federal Government would conduct readiness and terrorism exer- 
cise in the absence of private sector participation. For example, in the TOPOFF-1 
and TOPOFF-2 exercise series, the private sector owners and operators of infra- 
structure were excluded from “exercise play”, with the sole exception of hospitals, 
which were always one of the key operations being "stressed and tested" in those 
types of exercises. In contrast, based on prior planning and coordination by the U.S. 
Secret Service component of DHS, a Financial Services (FS)-ISAC Table Top Exer- 
cise was held in New York, March 2003 soon after the standup of the Department. 
DHS staff attended the exercise to observe the scenario play and to ensure that par- 
ticipants were aware of DHS’s role, including ICD role, in aiding with real-world 
recovery operations. The event was well received by the financial sector partici- 
pants. 

Building on this effort and working with the state homeland security advisors, 
DHS has continued these exercises in, Chicago, San Francisco, Houston, and now, 
concurrent with this testimony, from 19-22 April 2004, the FS-ISAC is hosting its 
next Tabletop exercise in St. Petersburg, Florida. The exercise will include two days 
of interactive tabletop play. DHS is sponsoring this event and staff will be actively 
participating in the exercises. 

From the lessons learned of TOPOFF-2 and these other table top exercises, IAIP 
recognizes the need to engage our private sector partners in these planning and exe- 
cution of these national level exercises. Exercises, of all kinds, tabletop, command 
post and full scale; are powerful ’best practice’ training tools and provide another 
venue for information sharing. IAIP plans to continue to include the private sector 
in future exercises whenever it makes sense to do so. 

New Information Sharing Initiatives 

The Administration and Congress have provided additional tools to enhance infor- 
mation sharing with the private sector. I will now discuss IAIP’s new information 
sharing initiatives. 

As the primary operational interface with the nation’s critical infrastructures, 
ICD continues to pass timely and substantive threat information to the private sec- 
tor. At daily and/or weekly teleconferences, sector analysts provide the critical infra- 
structures via the ISACs with unclassified threat updates on terrorist activities po- 
tentially affecting their systems and facilities. In addition, classified threat briefings 
are presented to cleared ISAC representatives and their industry members on a 
quarterly or semi-annual basis. To maintain appropriate situational awareness for 
each sector — a key division objective — ICD analysts on an ad hoc basis also provide 
timely assessments of high threshold threats to critical infrastructures through the 
ISACs. In addition, ICD sector analysts routinely assist IA analysts in preparing 
warning products that identify and communicate infrastructure-specific threats and 
incident trends. 

The National Infrastructure Coordinating Center (NICC) uses the Infrastructure 
Protection (IP) Executive Notification Service (ENS) to quickly notify ISAC leader- 
ship and Sector Coordinators of critical infrastructure events ranging from notifica- 
tion of imminent threats, dissemination of sector-specific warning products, and 
changes in national threat level. ENS delivers rapid internal and external mes- 
saging capability among government and private sector partners and provides Inter- 
active Secure Authentication, which ensures confidentiality of communications, as 
well as confirmation of receipt. 

Protected Critical Infrastructure Information 

Critical to the Department of Homeland Security’s mission is the ability to effec- 
tively share information with homeland security partners across the country to bet- 
ter protect the nation’s critical infrastructure. The Critical Infrastructure Informa- 
tion (CII) Act and implementing regulations provide private industry assurances 
that critical infrastructure information they voluntarily share with the government 
will be protected from release to the public and from use in civil litigation. The PCII 
Program enables the Department to receive critical infrastructure information that 
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would not have previously been available to the government, thereby allowing for 
a better understanding of threats, vulnerabilities and the security of the nation’s 
critical infrastructure. 

With the protection from FOIA disclosure offered by the CII Act, the private sec- 
tor can share sensitive and confidential information that can be analyzed to identify 
threats and vulnerabilities. Such analysis will provide the basis not only for devel- 
oping measures to deter the threats and mitigate the vulnerabilities to which the 
critical infrastructure is exposed, but also for improving Federal, State, and local 
governments’ emergency preparedness posture to respond to any attacks more effec- 
tively. 

The benefits to private industry are both practical and patriotic. Information shar- 
ing will result in better identification of risks and vulnerabilities, which individual 
companies can use to help protect their assets. By voluntarily sharing such critical 
information, private industry demonstrates responsiveness to Government need and 
the public good. Private industry is demonstrating good corporate citizenship that 
may save lives and protect our hometowns. By participating in the PCII Program, 
industry is helping to safeguard and prevent disruption to the American economy 
and way of life. 

National Infrastructure Coordination Center (NICC) 

The NICC is currently developing capabilities towards its targeted operational ca- 
pacity. Now in its third month of official operation, the NICC is collecting and ana- 
lyzing best practices. While this analysis begins with watch center models, it also 
includes management practices, information sharing systems, and other process de- 
velopment models from a broad range of industries. The NlCC will also work with 
its IAIPs public and private sector partners to ensure that its operational models 
most effectively and efficiently meet their needs. 

DHS designed the NICC specifically to maintain operational awareness of the na- 
tion’s critical infrastructures and key resources in collaboration with both private 
partners and counterpart government agencies. The NICC also, by design, provides 
DHS with the ability to coordinate information sharing between government, ISACs, 
and other industry partners. The NICC functions as an extension of the Homeland 
Security Operations Center (HSOC). 

Homeland Security Information Network 

With the announcement by the Secretary of the Homeland Security Information 
Network (HSIN) in March, DHS provides a new capability for enhancing many of 
the critical infrastructure ISACs’ capabilities to communicate with their sectors. The 
system provides a secure encrypted backbone capability for participants to commu- 
nicate Sensitive But Unclassified (SBU) information with DHS, with each other, and 
other communities of interest that have information that may be useful to them. It 
provides a collaborative feature that allows government and industry participants 
to work together in real-time on problem solving. It has alerting and notification 
features to disseminate information to members of a sector or across sectors. The 
system provides the capability for sectors to interact with each other on the system 
as necessity dictates. These features provide support for a basic and common com- 
munications service among ISACs. 

By providing access to these capabilities to the critical infrastructure ISACs, IAIP 
adds value as a partner to the ISACs by removing duplication of costs in implemen- 
tation and operations, and accelerates the development of value of the ISACs to 
their sectors. From experience with its use through the JRIES community (con- 
sisting of law enforcement at Federal, state and local levels) the collaborative and 
real-time aspects of the system actually increases the pace and volume of informa- 
tion sharing. Pilots with volunteer critical infrastructure sectors will begin this year, 
with support from the Infrastructure Coordination Division. 

We have seen great progress in two way information sharing with the private sec- 
tor and these examples are illustrative of our efforts. 

Conclusion 

This Administration has upheld a consistent policy that public private partner- 
ships be one of the pillars of national critical infrastructure protection. Partnerships 
are an essential element described in every national strategy document that we 
have published on homeland security and critical infrastructure protection. This pol- 
icy recognizes the new environment of terrorism, where both threats and 
vulnerabilities are continuously evolving in both physical and cyber space, will re- 
quire an unprecedented adaptability and cooperation of the stakeholders. Since 85 
percent of the critical infrastructures are owned and operated by private industry, 
how could a sustained effort be institutionalized to protect them? Only a full under- 
standing by the stakeholders of their own vested interests related to this issue could 
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sustain such an effort and commitment. Public-private partnerships are the only 
means that is responsive enough and adaptive enough to accomplish our national 
goals in a scalable, sustainable, and effective way. 

We have learned many lessons about developing effective partnerships both from 
our legacy agencies and from our own experiences since DHS was implemented in 
2003. I would like to share three of these with you today. Lesson 1 — Partnerships 
require a set of mutually determined objectives and deliverables to achieve a value 
proposition and trust. Lesson 2 — Participation in planning and objectives setting is 
essential to the success of the partnership. Both sides must understand the expecta- 
tions, values, concerns, risks and individual objectives of each participant. Lesson 
3 — Constant communication between all of the parties is an essential imperative. 

With years of experience by agencies that are now part of DHS, the successful 
partnerships built between federal lead agencies and their counterparts in industry 
were those where the federal lead agencies educated and learned, convened, listened 
and responded and then supported their industry counterparts who took the lead 
to implement programs to protect themselves. The Federal government sharing use- 
ful, actionable information on threats induces greater information sharing by indus- 
try in return. Making it easy for industry to receive and provide information, pro- 
viding products and services in return, based on that information, and working with 
owners and operators to develop and implement consistent and generally accepted 
protection practices, will add value to any partnership. 

In all relationships, there are challenges. Strong long-term relationships depend, 
however, on how well the participants handle, learn from, and adapt to those chal- 
lenges. Some lessons learned from the recent past in our dialogue with industry in- 
clude involving them in planning, mutual goals setting and development of oper- 
ational learning, such as input into our national plans, the NIPP and NRP, and di- 
rect participation in major exercises such as TOPOFF3. We have responded and 
adapted to many of the needs and expectations of industry in support of their pro- 
tection strategies and programs. 

Some private institutions have committed tremendous resources in time and 
money to supporting this national initiative, not just for their individual institution 
but for their industry as whole. Even before 9/11, some were doing so. Terrorists 
have innumerable weapons and targets of choice in our open society. In order to sus- 
tain an effective national CIP program, we need critical infrastructure sectors’ co- 
operation, expertise and creativity to find the most effective and efficient ways to 
protect their sectors. It is incumbent upon DHS to develop and strengthen these 
partnerships and we will do so because there is more to do to help secure our home- 
land. 

Mr. Thornberry. Thank you. 

Also on our first panel, we have Mr. George Newstrom, who is 
the Secretary of Technology and Chief Information Officer for the 
Commonwealth of Virginia. He also serves as the Chairman of the 
Security Committee of the National Association of State Chief In- 
formation Officers. Secretary Newstrom, thank you for being with 
us, and you are recognized for 5 minutes to summarize your state- 
ment. 

STATEMENT OF THE HONORABLE GEORGE NEWSTROM, 
SECRETARY OF TECHNOLOGY, COMMONWEALTH OF VIRGINIA 

Mr. Newstrom. Thank you, Mr. Chairman and members of the 
committee. I will summarize my statement. You have the full text 
in front of you right now. The Chairman has already introduced me 
and the two hats that I come to you with today. 

At NASCIO, I serve as the Chair of the Security Committee. This 
committee addresses the role of information and communications 
technology, both in terms of how it supports the wider needs of 
state homeland security directors and how state governments 
should be protecting their critical information assets. We also over- 
see NASCIO’s Interstate Information Sharing and Analysis Center, 
the ISAC, which arose from a 2002 memorandum of understanding 
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with DHS’s Infrastructure Coordination Division led by Jim 
Caverly. 

Information infrastructure is only part of America’s critical infra- 
structure that is under attack everywhere all the time. Unfortu- 
nately, cyber attacks on a national scale are still treated as sec- 
ondary to any physical threat, whether it is chemical, biological, ra- 
diological, nuclear or explosive. NASCIO believes that while cyber 
terrorism per se is still an emerging threat, we must press forward 
toward a coordinated intergovernmental approach to protecting 
government’s critical information assets if we are to ensure that 
critical government business functions, especially those supporting 
homeland security, will be available when needed. 

If we can secure our systems from hackers and organized crime, 
we will have gone a long way toward securing them from terrorist 
and enemy nation-states. NASCIO has long realized the inter- 
dependence of Federal, state and local information systems which 
drive the need for intergovernmental approach. Toward that end, 
we produced a document in 2002 titled Public Sector Information 
Security, a call to action for public sector CIOs that emerged from 
a forum convened by NASCIO in the wake of 9—11. We also con- 
vened a roundtable discussion that included local, state and Fed- 
eral participants here last July. 

The primary lessons we have learned are that government ICT, 
information and communications technology personnel, should be 
considered core competencies to state and local emergency response 
capabilities because without them, everything from databases to 
wireless communications first responders cannot do their job. Also, 
given the fact that states, counties and cities are the primary 
mechanism for the delivery of critical services to citizens, including 
Federal programs, if the information systems of states or local gov- 
ernments go down, the ability of the other levels of government to 
do business within jurisdictions will be significantly impaired, if 
not interrupted. This creates a cascading effect. 

While the CIO is charged with protecting the state’s critical in- 
formation assets, he or she is also charged with managing the day- 
to-day operations of a wide variety of information systems and in- 
frastructures that support first responders in homeland security 
leadership. Up to now, homeland security has primarily been de- 
fined as those systems involving law enforcement and emergency 
managers. However, as state efforts fuse information from intel- 
ligence and all-hazard incident management purposes become more 
sophisticated, a wide range of information systems will be drawn 
together in an effort from public safety, public health, transpor- 
tation and agriculture, among them. 

Homeland security at the state and local level is less about orga- 
nizational change and more about cultural adjustment. Homeland 
security, like technology, requires an enterprise approach that syn- 
chronizes and harmonizes disparate parts under a common um- 
brella. Key to this success with this cultural change is achieving 
vertical and horizontal sharing and integration of information, 
something that requires effective application of technology. This 
will require the CIO, with statewide oversight, to help manage the 
development and deployment of systems that can meet the ever- 
changing needs of homeland security decision makers. 
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As a caution and an urge to the Federal Government, we ask 
that the Federal Government consolidate its information-dissemi- 
nating capability. While it may be necessary to separate public 
safety, military and cyber efforts, we should not have multiple, un- 
coordinated information dissemination efforts within each of these 
categories as we do now. Virginia knows from first-hand experience 
that the FBI and DHS are issuing separate information products 
to law enforcement and non-law enforcement communities respec- 
tively. This makes it difficult for state homeland security directors 
and CIOs to understand the full spectrum of threats faced by 
states, without staying abreast of multiple channels and fusing the 
information internally. 

NASCIO knows by the work with other states that the other 
Federal agencies, particularly those in the Departments of Justice 
and Health and Human Services, are issuing cyber alerts to state 
and local programmatic counterparts which are not incorporated in 
the National Cyber Security Division, NCSD, of DHS. NASCIO 
would be willing to work with Mr. Amit Yoran and the Federal 
Chief Security Officers Council to develop an intergovernmental 
warning process so state CIOs, homeland security directors and 
program-specific leadership receives coordinated, consistent and 
timely alerts and notices. 

As the 9-11 commission has heard now on many occasions, the 
issue may be less on what and how much information we know, but 
how knows it and who they share it with. In the area of cyber secu- 
rity, we are doing well at countering attacks on infrastructure after 
they happen. Isn’t our real objective to try to identify potential at- 
tacks in advance so that we can avert costly efforts to eradicate 
them once they happen? The only way to do this is by connecting 
the dots, sharing information across Federal and state agencies in 
a timely and focused manner. 

NASCIO has been actively engaged in sharing cyber threat and 
incident information with and among states as part of our inter- 
state ISAC program. We have also gathered information and tar- 
geted requests from DHS and provided feedback on the effective- 
ness of various information sharing analysis practices. We have 
drawn on the goodwill of our corporate partners to provide the 
states with supplemental information to help them respond to fast- 
moving threats like worms and viruses. 

Regarding specific efforts by the Commonwealth of Virginia, as 
members of today’s committee know very well, Virginia is home to 
the Pentagon, one of the three sites in the United States that were 
attacked on September 11. The memory of that day and its after- 
math continue to permeate the consciousness of those serving in 
Virginia State government and the local community, while serving 
as a guide for Virginia’s efforts in homeland security and critical 
information protection. To respond to this challenge, Virginia has 
three specific efforts under way. One is the Secure Virginia Panel. 
The second is the National Capital Critical Infrastructure Vulner- 
ability Assessment Project. Three is the Virginia Alliance for Secur- 
ing, Computing and Networking. You have all those in the detailed 
comments in my testimony. 

The first one is a public-private partnership that the Governor 
of Virginia established within 30 days of coming into office. The 
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second one is the District of Columbia, the State of Maryland and 
the Commonwealth of Virginia working together to ensure the en- 
tire region’s assets. The third is the Virginia Alliance for Securing 
Computing and Networking is in the educational community to se- 
cure our research networks that are very instrumental to all of us. 

Mr. Chairman and members of the subcommittee, Virginia and 
all the states represented by NASCIO are moving forward in the 
context of protecting critical infrastructure from physical and cyber 
vulnerabilities. This effort is requiring new ways of thinking and 
new types of relationships between Federal and state entities. 
Much progress has been made, but there is much to be done. 

I enjoy a close working relationship with Virginia’s homeland se- 
curity team, state as well as local, as well as the leaders of the 
Federal efforts in DHS. I know that we do not have all the an- 
swers. We may not even have all the questions. But we know that 
protecting our critical assets from cyber and physical threat is a 
key to ensuring the safety of Americans and protecting our eco- 
nomic security. 

My message to you, in conclusion, is first, despite the continuing 
daily attacks on our nation’s information infrastructure, cyber secu- 
rity is still seen as a secondary threat and the interdependence of 
Federal, state and local systems absolutely requires closer and a 
more cohesive approach, second, we are encouraged by the organi- 
zation and the leadership at DHS to move smartly and timely with 
the assistance of their state and local partners, and particularly 
the recent evaluation of the ISAC approach and the new opportuni- 
ties for effective change that it represents. 

NASCIO will do what it can to assist by working with DHS, ICD 
and NCSD divisions to arrive at the most effective approach, and 
also by developing the states and local addendum to our national 
security strategy. 

Let me take a moment and thank Robert Liscouski, Assistant 
Secretary, sitting next to me, as well as Jim Caverly, who heads 
ICD, and Amit Yoran, the Director of the National Cyber Security 
Division, as well as Steve Cooper, the CIO of the Department of 
Homeland Security. These folks have worked with us, as well as 
George Foresman, Virginia’s Assistant to the Governor for Com- 
monwealth Preparedness, to meet the goals that we have outlined. 

Mr. Chairman, thank you, and members of this committee for 
the opportunity to be here with you today. 

[The statement of Mr. Newstrom follows:] 

Preprared Statement of the Honorable George C. Newstrom 

Chairman Thornberry, Chairman Camp and Members of the Subcommittees, 

Thank you for inviting me to appear before you today. I am before you today 
wearing two different hats: one representing the Commonwealth of Virginia as its 
Secretary of Technology and the second as the Chair of the Security Committee of 
the National Association of State Chief Information Officers (NASCIO). 

I would like to offer my perspective on the issues of partnership and information 
sharing with particular regard to Virginia’s cross-sector efforts to secure its critical 
and information infrastructures and NASCIO’s efforts to coordinate DHS’s inter- 
action with the states on these matters. Virginia and NASCIO appreciate your at- 
tention to this important matter and willingness to get input from a state and orga- 
nization that have direct stakes in the outcome. We believe that success in cross- 
sector infrastructure assurance and information sharing will be the result of per- 
sistent effort by many parties, advancing in spurts during times of urgency and 
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more incrementally during times when trust and cooperation must be solidified for 
the long haul. 

Efforts By NASCIO 

At NASCIO, as I indicated, I serve as chair of their Security Committee. This 
committee addresses the role of state Information and Communications Technology 
(ICT) both in terms of how it supports the wider needs of state homeland security 
directors and in how state governments should be protecting their critical informa- 
tion assets. We also oversee NASCIO’s Interstate Information Sharing and Analysis 
Center (ISAC) efforts, which arise out of a July 2002 memorandum of under- 
standing with DHS’s Infrastructure Coordination Division (ICD), led by James 
Caverly. 

Protecting Governments’ Critical Information Assets 

The information infrastructure is the only part of America’s critical infrastruc- 
tures that are under attack everywhere, all the time. Unfortunately, “cyber” threat 
on a national scale is still treated as secondary to any physical threat whether it 
be chemical, biological, radiological, nuclear, and explosive. NASCIO believes that, 
while cyber-terrorism per se is still an emerging threat, we must press forward to- 
ward a coordinated, intergovernmental approach to protecting governments’ critical 
information assets if we are to ensure that critical governmental business func- 
tions — especially those supporting homeland security — will be available when need- 
ed. If we can secure our systems from hackers and organized criminals, we will have 
gone a long way toward securing them from terrorist and enemy nation states. 

NASCIO has long realized the interdependencies of federal, state, and local infor- 
mation systems, which drives the need for an intergovernmental approach. Toward 
that end, we produced a document in 2002, titled “Public-Sector Information Secu- 
rity: A Call to Action for Public-Sector CIOs” that emerged from a forum convened 
by NASCIO in the wake of 9/11. We also convened a roundtable discussion that in- 
cluded local, state, and federal participants last July here in Washington. 

The primary lessons we have learned are that government ICT personnel should 
be considered a core component to state and local emergency response capabilities, 
because without everything from databases to wireless communications the first re- 
sponders cannot do their jobs. Also, given the fact that the states, counties, and cit- 
ies, are the primary mechanisms for delivering critical services to citizens — includ- 
ing federal programs, if the information systems of a state or local government go 
down, the ability of the other levels of government to do business within that juris- 
diction will be significantly impaired, if not interrupted. This creates a cascading ef- 
fect. 

Supporting State Homeland Security Decision-Makers 

While the CIO is charged with protecting the state’s critical information assets, 
he or she is also charged with managing the day-to-day operations of a wide variety 
of information systems and infrastructure that support first responders and home- 
land security leadership. Up to now, homeland security ICT has primarily been de- 
fined as those systems serving law enforcement and emergency managers. However, 
as state efforts to fuse information for intelligence and all-hazards incident-manage- 
ment purposes become more sophisticated, a wide range of information systems will 
be drawn into the effort, including those from public safety, public health, transpor- 
tation, and agriculture among others. 

Homeland Security at the state and local level is less about organizational change 
and more about cultural adjustment. Homeland security, like technology, requires 
an enterprise approach that synchronizes and harmonizes disparate parts under a 
common umbrella. Key to succeeding with this cultural change is achieving vertical 
and horizontal sharing and integration of information — something that requires ef- 
fective application of technology. This will require the CIO, with statewide over- 
sight, to help manage the development and deployment of systems that can meet 
the ever-changing needs of homeland security decision makers while maintaining 
appropriate levels of privacy and security. Our adversaries will continue to change 
their tactics. Therefore, our information systems must be able to help state home- 
land security directors and DHS gather the information they will need to counter 
these evolving threats. 

Focused Action By The Federal Government Is A Necessity 

It is so important that the federal government consolidate its information dissemi- 
nation capability. While it might be necessary to have separate public safety, mili- 
tary and cyber efforts, we should not have multiple, uncoordinated information dis- 
semination efforts within each of those categories as we do now. Virginia knows 
from first hand experience that the FBI and DHS are issuing separate information 
products to the law enforcement and non-law enforcement communities respectively. 
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This makes it difficult for state homeland security directors and CIOs to understand 
the full spectrum of threats faced by the state without staying abreast of multiple 
channels and fusing the information internally. 

NASCIO knows by way of its work with all the states, that other federal agencies, 
particularly those in the departments of Justice and Health and Human Services, 
are issuing cyber alerts to their state and local programmatic counterparts, which 
are not incorporated into the National Cyber Security Division (NCSD) of DHS alert 
products. NASCIO would be very willing to work with Mr. Yoran and the new Fed- 
eral Chief Security Officers Council to develop an intergovernmental warning proc- 
ess so that state ClOs, homeland security directors, and program specific leadership 
receives coordinated, consistent as well as timely alerts and notices. 

As the ‘911 Commission’ has heard now on many occasions, the issue may be less 
on what and how much we know but who knows it and who they share the informa- 
tion with. In the area of cyber security, we are doing well at countering attacks on 
our infrastructure AFTER they happen. Isn’t our real objective to try to identify po- 
tential attacks in advance so that we can avert the costly efforts to eradicate them 
after they happen? The only way to do this is to ‘connect the dots’ — share informa- 
tion across federal and state agencies in a timely AND focused manner. 

Sharing Information with the States 

NASCIO has been actively engaged in sharing cyber-threat and incident informa- 
tion with and among the states as part of our Interstate ISAC program. We have 
also gathered information for targeted requests from DHS and provided feedback on 
the effectiveness of various information sharing and analysis practices. We have 
drawn on the goodwill of our corporate partners to provide the states with supple- 
mental information to help them respond to fast-moving threats like worms and vi- 
ruses. 

We applaud Amit Yoran’s recent efforts at the National Cyber Security Division 
(NCSD) to engage the states directly and make the US-CERT a valuable tool for 
the entire ICT-using community, including individual U.S. citizens. We are cur- 
rently working with Jim Caverly at ICD to further refine our ISAC program. We 
know that DHS, NASCIO, and individual states have very limited resources to con- 
tribute to any information sharing effort. Therefore, we seek to have an information 
sharing and analysis program that is as transparent as possible between DHS and 
the states. We also want it to provide targeted services with a definable return on 
the sweat equity investment by the states. This will take time. But, NASCIO has 
found its partners at NCSD and ICD to be very receptive to our suggestions for im- 
provement and we remain committed to ensuring the success of any information 
sharing efforts with the states. 

Our NASCIO Security Committee currently has two deliverables in progress for 
2004, which might be of interest to you: 

• A state and local addendum to the National Strategy to Secure Cyberspace. 
Following a meeting with DHS and White House cybersecurity leadership, the 
National Governors Association (NGA) began working with NASCIO to take on 
the joint role of serving as ad hoc coordinators for the state and local sector. 
In that role, we will be forming a task force or working group to produce a brief 
addendum that will highlight the key sector implications of the strategy. It will 
also provide an opportunity to put forth some additional recommendations for 
action by our sector. This group will include state, county, and municipal chief 
information officers (CIOs) and chief information security officers (CISOs) as 
well as participants from the telecommunications directors, utilities commis- 
sioners, and educational community. 

• Defining the role of the CIO in homeland security decision support.NASCIO 
will shortly be releasing a detailed brief on the role of the CIO in supporting 
intra-state intelligence and situational awareness efforts, which combine to pro- 
vide homeland security leadership with what we are calling “decision support.” 
It will include several calls for very precise state and federal action that we 
hope will prepare the states to fulfill the goals of the recently released National 
Incident Management System (NIMS) as well as support the ongoing deploy- 
ment of new and enhanced information sharing networks by DHS CIO, Steve 
Cooper. 

Efforts Specific to the Commonwealth of Virginia 

The efforts undertaken by the Commonwealth of Virginia in securing its critical 
physical and infrastructure has been primarily focused on the development of part- 
nership among key state and local agencies, the private sector and Virginia’s insti- 
tutions of higher education to develop and implement strategies for securing and 
maintaining critical infrastructure. 
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As members of today’s committees know very well, Virginia is home to the Pen- 
tagon one of the three sites in the United States that was attacked on September 
11, 2001. The memory of that day and its aftermath continue to permeate the con- 
sciousness of those serving in Virginia’s state government and local communities 
while serving as a guide for Virginia’s efforts in homeland security and critical in- 
frastructure protection component. 

To respond to these challenges, the Commonwealth of Virginia has three specific 
efforts underway that will be discussed today. These efforts are: 

• The Secure Virginia Panel 

• National Capital Region — Critical Infrastructure Vulnerability Assessment 
Project 

• The Virginia Alliance for Secure Computing and Networking (VA SCAN) 

The Secure Virginia Panel 

As one of his first acts of office to respond to the challenge of protecting the Com- 
monwealth, the Governor of Virginia, Mark R. Warner, signed Executive Order 7 
on January 31, 2002, establishing the Secure Virginia Initiative and convening the 
Secure Virginia Panel. In bringing together state government, local government and 
the private sector, the Secure Virginia Panel and its working groups has served as 
the primary conduit for developing public-private partnerships to deal with the chal- 
lenges in preparing for emergencies and disasters of all kinds, including terrorism. 

Through the Critical Infrastructure Working Group (CIWG) of the Secure Virginia 
Panel, Virginia is tackling many of the same challenges that are also being ad- 
dressed by the federal government. Also comprised of members representing state 
government, local government and the private sector, the CIWG is specifically 
charged with making recommendations that strengthen cyber and physical security 
for critical infrastructure throughout the Commonwealth. By identifying failure and 
inter-dependency points in critical infrastructure security and developing a method- 
ology for prioritization of those points, the CIWG is attempting to answer three crit- 
ical questions: 

1. What critical infrastructure is needed to keep government operational? 

2. How does the Commonwealth of Virginia best coordinate with local govern- 
ment and the private sector? 

3. What organizational structure is best suited to ensuring a coordinated ap- 
proach to both cyber and physical security of critical infrastructure located in 
Virginia? 

To answer these questions, the CIWG has outlined six objectives that it plans to 
meet by December 2004. These objectives are as follows: 

1. Development of a governance model that can best coordinate critical infra- 
structure protection and risk mitigation. 

2. Identification of critical infrastructure. 

3. Identification of inter-dependency and failure points in critical infrastructure 
protection. 

4. Development of a methodology to prioritize critical infrastructure protection 
initiatives. 

5. Assignment of responsibility within state government for coordinating critical 
infrastructure cyber and physical security efforts. 

6. Coordination among the public sector, private sector and institutions of high- 
er education to ensure the development and utilization of a consistent assess- 
ment methodology. 

These efforts are facilitated by prior recommendations that have been developed 
by the Secure Virginia Panel. Specifically, in 2002, the Panel recommended legisla- 
tive changes that would protect from FOIA the disclosure of critical infrastructure 
information submitted to state government by the public sector. Titled the ‘Sensitive 
Records Protection Act’ (HB 2210), the legislation was passed by the 2003 General 
Assembly and subsequently signed into law by the Governor. 

National Capital Region — Critical Infrastructure Vulnerability Assessment Project 

The vulnerability of the National Capital Region was made painfully obvious on 
September 11th, 2001. The coordinated partnership by the federal government, the 
states of Virginia and Maryland and the District of Columbia to the unique situa- 
tion of our Capital region demonstrates the cooperative approach towards homeland 
security and critical infrastructure protection that is being pursued today. 

Under the auspices of the post 9/11 funding provided by Congress, Urban Area 
Security Initiative Grant Program as well as the Department of Justice Community 
Oriented Policing (COPS) program, funded through the Department of Homeland 
Security’s Office for Domestic Preparedness, a leading regional effort for critical in- 
frastructure protection in the National Capital Region is being lead by George 
Mason University. This effort is part of a broader set of NCR initiatives being or- 
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chestrated by the Mayor of DC and Governor’s of Virginia and Maryland under the 
auspices of their representatives on the Senior Policy Group in partnership with 
community leaders. 

The Urban Area Security Initiative (UASI) is a program that helps develop sus- 
tainable models to enhance security and overall preparedness to prevent, respond 
to, and recover from acts of terrorism in high-density population centers. Specifi- 
cally, UASI was created to “enhance the ability of first responders and public safety 
officials to secure the area’s critical infrastructure and respond to potential acts of 
terrorism. Initially, seven metro areas were identified: New York City, Washington, 
D.C., Los Angeles, Seattle, Chicago, San Francisco, and Houston. For the 2004 fiscal 
year, this number increased to 50, now including smaller cities such as Orlando, 
Florida, and New Haven, Connecticut. 

For the National Capital Region, a strategy was developed to provide a strategic 
direction for preventing and reducing vulnerability in the region. The strategy was 
developed based on a number of inputs: the results of an assessment completed by 
communities in the National Capital Region in July 2003, the National Strategy for 
Homeland Security, the Eight Commitments to Action for the National Capital Re- 
gion, and the State Template published by the Homeland Security Council. The 
Strategy focuses on four areas: planning, training, exercise, and equipment. George 
Mason’s activities fall within the planning area. 

The grant from the Department of Justice Community Oriented Policing (COPS) 
program, complementing the efforts undertaken through the UASI initiative, focuses 
on the telecommunications, water, energy, and transportation sectors in the Com- 
monwealth of Virginia. 

In cooperation with five universities, including James Madison University, the 
University of Virginia, Virginia Polytechnic Institute and State University (Virginia 
Tech), the University of Maryland, and Howard University, the NCR Critical Infra- 
structure Vulnerability Assessment Project focuses on improving regional and sec- 
toral methodologies for conducting vulnerability assessments. The ultimate objective 
of the project is to raise the level of security in the National Capital Region by en- 
suring that critical infrastructure sectors address the most important security con- 
cerns. The project seeks to enhance the capability and capacity of the National Cap- 
ital Region to reduce vulnerability, minimize damage and increase resiliency. In ad- 
dition to the regional universities engaged in this initiative, GMU is also working 
collaboratively with industry and government. 

The Virginia Alliance for Secure Computing and Networking (VA SCAN) 

The Virginia Alliance for Secure Computing and Networking (VA SCAN) is a part- 
nership of universities that seeks to strengthen information security programs with- 
in the Commonwealth of Virginia. The partnership includes security professionals 
from George Mason University, James Madison University, the University of Vir- 
ginia (UVA), and Virginia Polytechnic Institute (VA Tech) as well as researches and 
staff from the Institute for Infrastructure and Information Assurance (3IA) at JMU, 
the Center for Security Information Systems at GMU, and the joint GMU/ JMU 
Critical Infrastructure Protection Project (CIPP). Representatives from other Vir- 
ginia institutions, including Mary Washington College, Radford University, The Vir- 
ginia Institute of Marine Science, The College of William and Mary, Virginia Com- 
monwealth University, and the Virginia Military Institute serve as advisors to 
VASCAN partners. 

VA SCAN began offering products and services in March of 2003. The offerings 
are based on the principle that the most lasting improvements to security programs 
can be made not by performing security functions for organizations, but rather by 
educating and guiding management and staff teams in defining and carrying out 
their own security strategies and operations. Some of the products and services of- 
fered include: 

• A Virginia — Critical Infrastructure Response Team (CIRT) group for tracking 

security threats 

• Self-assessment checklist for Commonwealth of Virginia security standards 

• Security policy development and security awareness training 

• Onsite training and security instructional materials 

• Onsite consulting on a variety of security topics and an “ask the expert” email 

service 

• Web-based toolkit of security tools and best practices 
Concluding Remarks 

Mr. Chairman and members of the subcommittees, Virginia and all the states rep- 
resented by NASCIO are moving forward in the context of protecting critical infra- 
structures from physical and cyber vulnerabilities. This effort is requiring new ways 
of thinking and new types of relationships between public federal and state efforts. 
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Much progress has been made but there is much more to do. I enjoy a close working 
relationship with Virginia’s homeland security team, state as well as local, as well 
as the leaders of the federal efforts at DHS. I know that we do not have all of the 
answers and we frankly do not have all of the questions. But we know that pro- 
tecting our critical assets from cyber and physical threats is key to ensuring the 
safety of Americans and protecting our economic security. 

In conclusion, my message to you is that, despite the continuing, daily attacks on 
our nations information infrastructure, cybersecurity is still seen as a secondary 
threat, and the interdependence of federal, state and local systems absolutely re- 
quire a closer, more cohesive approach. Secondly, we are encouraged by the organi- 
zation and leadership at DHS to move smartly and timely with the assistance of 
their state and local partners, and in particular, the recent re-evaluation of the 
ISAC approach and the new opportunities for effective change that represents. 
NASCIO will do what it can to assist by working with DHS’s ICD and NCSD divi- 
sions to arrive at the most effective approach, and also by developing the state and 
local addendum to our National Strategy. 

Let me take a moment to thank Robert Liscouski, Assistant Secretary for Infra- 
structure Protection, DHS; Jim Caverly, director, Infrastructure Coordination Divi- 
sion; Amit Yoran, director, National Cyber Security Division; Steve Cooper, chief in- 
formation officer, DHS and George Foresman, Virginia’s Assistant to the Governor 
for Commonwealth Preparedness for all that they do towards our common goals. 

Mr. Chairmen, I thank you and the members of your committees for the oppor- 
tunity to testify before you today. 

Mr. Thornberry. Thank you. Some very good points. 

I yield to Chairman Camp. 

Mr. Camp. Thank you, Mr. Chairman. 

I appreciate both of your testimonies here this morning. Assist- 
ant Secretary Liscouski, obviously we are very interested in the 
role of the ISACs or the Information Sharing and Analysis Centers 
in being a link to the private sector in terms of infrastructure pro- 
tection. I wonder to what extent you feel that they have fulfilled 
their expectations. Do you still view them as the primary public- 
private partnership link? To that extent, I know that under your 
authority there is a significant budget for public outreach, nearly 
$50 million. It is my understanding none of that has gone to the 
ISACs. I think a little bit of funding might help them in their role. 

So I am really interested in to what extent you consider their 
role important, and still that key link. 

Mr. Liscouski. Mr. Chairman, thank you for the question, and 
to the point about the partnership with the ISACs. We view them 
as critical, along with the other sector-specific agencies and the sec- 
tor coordinators, to ensuring that we have not just the good links 
to the private sector, but most importantly the information coming 
back into DHS to understand what their concerns are. 

Let me just take a moment to address your question by just tak- 
ing a step back for a second to say that we recognize that when 
PDD-63 was established, the direction the ISACs were going into 
was a very good direction, but there was very little leadership from 
the private sector to step up to really help guide those ISACs to 
provide to the government what their requirements were. 

When we established DHS and I became responsible for those 
ISACs, and particularly based upon my private sector background, 
it was clear to me that the model we had to change had to be one 
which was much more of a private sector-led model, rather than a 
government-led model. To that end, and it is a philosophy we live 
by today, we established a capability within my organization for In- 
frastructure Protection, and specifically with the Infrastructure Co- 
ordination Division, to be that central point of contact for us into 
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the ISACs; to establish the links, to formalize those links, but most 
importantly to develop or receive the requirements back from those 
ISACs. 

Based upon that, we developed our fiscal year 2004 funding pro- 
file to ensure that the funding stream that went to the ISACs met 
their initial requirements and their evolving requirements. So we 
set aside $16 million for outreach that would be used to assist the 
ISACs in developing and forming themselves, as well as assisting 
them in their communications capabilities. To date, we have spent 
approximately $6.5 million to support the ISACs in the form of cre- 
ating a common communications mechanism under the Homeland 
Security Information Network, which is a common platform for 
communications which we are rolling out to the ISACs, which effec- 
tively provides a no-cost entry for companies to form an ISAC and 
then gain access to this information, as well as other outreach ef- 
forts to include administrative support and research support vis- 
-vis George Mason University’s Critical Infrastructure Protection 
Project, which is something we also fund. 

We have been working with the ISACs. Specifically back in De- 
cember, we had an ISAC sector summit in which we solicited from 
the ISACs their very specific requirements for how they thought 
they needed to be funded and where their funding priorities are 
and where they remain. 

Mr. Camp. What do you think the principal challenges are in 
having the ISACs reach their fullest potential? 

Mr. Liscouski. It depends upon the ISAC. It is not a one-size- 
fits-all model. I think the expectation we have is that we really 
need their requirements to be well defined as it relates to both in- 
formation sharing on the two-way street. I think we have overcome 
many of the big challenges, for instance the establishment of the 
ISAC Council, which as it relates to the ISAC is our point of entry 
into the broad ISAC community to make sure we get collective 
thought well represented back into the government so we under- 
stand what those needs are. That is one challenge we have over- 
come. 

I think the other challenge is them defining specifically what 
their requirements are in terms of not just linking up with DHS, 
but most importantly conveying to us what their information-shar- 
ing requirements are. 

Mr. Camp. I think one of the critical things is the coordination 
of risk assessment by DHS. I think that is probably one of their 
most crucial roles. It appears as though there are multiple require- 
ments for risk assessment depending on the agency, TSA or Coast 
Guard, or whatever. What steps are being taken to resolve this 
overlap and multiple levels or layers of risk assessment that really 
can be an undue burden on the private sector? 

Mr. Liscouski. I agree with that statement. As you know when 
DHS was formed, TSA had already been in existence and had been 
moving out in its effort very, very aggressively to try to connect up 
with the private sector; similarly with the Coast Guard going out 
and doing what they were doing; similarly with Secret Service and 
others. 

So we immediately began to coordinate the efforts for critical in- 
frastructure protection and come up with common vulnerability as- 
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sessments and risk analysis and capabilities that could be spread 
across the entire spectrum. Over the past year, we have been work- 
ing on that, but we have really been able to even more consistently 
address this through the implementation of the Homeland Security 
Presidential Directive Number Seven, which has really given us 
the impetus to bring together all the various Federal agencies, not 
just within DHS, but across the Federal Government, to under- 
stand these programs and what their priorities are and how each 
respective sector-specific agency is going to be addressing those pri- 
orities. That is a normalization effort that we are currently engag- 
ing in right now. 

Mr. Camp. OK, thank you. I see my time has expired. 

Mr. LISCOUSKI. Thank you, sir. 

Mr. Camp. Thank you, Mr. Chairman. 

Mr. Thornberry. Thank you. 

The gentlelady from California, Ms. Lofgren. 

Ms. Lofgren. Thank you, Mr. Chairman. 

Just a note, we have both Secretary Ridge and Secretary Powell 
downstairs in the Judiciary Committee, so even though I am very 
eager to hear what you have to say, I may be bopping down there 
in the near future. 

I hate to be a nag, but I am going to complain again, Mr. 
Liscouski, about the lateness of your testimony. The committee 
rules require that testimony be submitted 48 hours in advance. 
Once again, yours was received last night at 7:04 p.m., as a matter 
of fact is when we go the email. It is just not sufficient time for 
the committee members to review the testimony. There is a reason 
for the rule and I think it is offensive for the whole committee. I 
hope that that is the last time that this occurs. It is just not accept- 
able to me. I hope that that will not occur again. 

I want to ask a broad question, if I may. We need a comprehen- 
sive risk assessment of our nation’s critical infrastructure. It seems 
to me that that has not yet been completed. I would like to know 
when the comprehensive critical infrastructure risk assessment 
will be completed. Specifically, I would like to know who within the 
IAIP is in charge of this risk assessment work. I would like to 
know the number of employees that are assigned to its production 
and the number of contractors and the number of detailees, the 
specific dollar amount that is assigned to produce this analysis. 

I would like to note that I have a number of questions. We prob- 
ably will not be able to get through with them. In the past, we 
have submitted questions to the Department and generally we 
never get answers to them from any of the witnesses, including 
yourself. So I would like a commitment for those questions that we 
cannot get through that we actually will get written responses from 
you. I will not hold you accountable for our friend Asa Hutchinson 
and the others who have not responded, but I hope that the an- 
swers can be prompt. 

And if you could address the questions that I have asked now, 
I would be very appreciative. 

Mr. Liscouski. Yes, ma’am. I apologize again for the lateness of 
the submission of the testimony. With respect to the questions that 
you just referenced, I know I personally reviewed questions that 
you have submitted to me, so I know that they are a work in 
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progress and we will check on what the status of those is so you 
can get them in a timely way. 

With respect to the comprehensive risk assessment, as I have 
said prior when I have appeared before this committee and others, 
that is an ongoing process. If we do our job right, and I know this 
can be taken out of context, we will continuously revise that list. 
We have over 33,000 assets identified in our national asset data- 
base, for which we are doing analysis on those risk assessments 
and continually updating those things. 

As you are aware based on my previous testimony, the inter- 
dependencies between all those assets continuously change based 
upon the threats. So we will never be satisfied based upon the 
evolving threat environment, that we should sit back and say that 
because we have done one risk assessment for one particular asset, 
that we should not go back and revisit that. So that is a continuous 
process. 

I know it is a difficult thing, but the enormity and the complexity 
and the scope of our critical infrastructure protection mandates 
that we continuously revise and review our risk posture and the 
changing threats, both of group capabilities, as well as their intent, 
second, this is not just a DHS effort, but this is a Federal Govern- 
ment as well as a state and local and a private sector effort. So 
many of those things over which we have responsibility, we do not 
directly control and therefore our ability to get fidelity in the com- 
prehensive listing of all the assets is dependent upon the coopera- 
tion we have with the various entities who play in that space. 

Homeland Security Presidential Directive Number Seven gives 
us a significant leg up on our ability to coordinate these activities 
within the Federal sector. So it is not just DHS in the context of 
TSA and other responsibilities that Under Secretary Hutchinson 
may have, as well as my own group, but it is clearly those within 
DOT, Department of Agriculture, HHS, and others, which have 
similar types of responsibilities. 

So this is a national problem, as you well know, and not just a 
Federal problem. So I would suggest to you that we are working 
extremely hard and we have made significant progress over the 
past year in really aggregating a list. That has given us a very 
clear understanding of the major priorities that we have to address 
and we are addressing those priorities. 

Ms. Lofgren. If I could, we do understand that we are not going 
to come up with a list and then never revisit it. Obviously, it is an 
ongoing process. Am I to understand from your testimony that the 
critical infrastructure risk assessment has been completed and now 
it is a matter of updating it? Or if not, what are the milestones? 

Mr. Liscouski. The milestones are the outreach program that we 
have with the state and local and Federal sectors. We have tasked 
them specifically to identify what they believe are critical, based 
upon the definition in the Patriot Act, which is what we always go 
back to, to ensure that we have clarity of what that list is. Often- 
times we find that what we have done to identify critical assets in 
the United States and what the states and local municipalities and 
cities have done often do not reconcile. So we spend a significant 
amount of time reconciling those assets, doing the consequence 
analysis and the impact of attack on the exploitation and 



25 


vulnerabilities of those assets. So no, ma’am, it is not complete, but 
much of that is outside the control of DHS per se, but based upon 
the input that we get from folks in the respective jurisdictions that 
you all represent, as well as other Federal agencies. 

Ms. Lofgren. My time has expired, but I would ask that you re- 
spond to me. By the way, you did not give me the number of em- 
ployees and detailees. 

Mr. Liscouski. I would be happy to get back to you in writing, 
if I may. 

Ms. Lofgren. If you could also provide a list of what you have 
prepared, the milestones that you have achieved, your timelines for 
the rest of it, and then to the extent that there are departments 
that you are dependent on that have not actually produced, list 
them and tell us what they have not produced so that we can then 
inquire with them. I think that is essential. 

Mr. Liscouski. I think it is. Let me just level-set the expectation 
here. We are asking questions for which are not quite sure what 
the answers are necessarily. I could ask each one of the Represent- 
atives for input on what they think is critical. There might be 
things in there that you know about, that I do not know about. So 
I am asking a question on which I am totally dependent upon the 
folks at the local level for the answers. 

So to suggest that there is a finite number of assets over which 
I have some clarity in terms of a number, then I can measure a 
milestone that I am at the 80 percent level or the 90 percent level, 
to be quite candid with you, is a little unrealistic. We do not know 
all the assets out there. 

Ms. Lofgren. My time has expired, Mr. Chairman. 

Mr. Thornberry. Thank you. 

The gentlelady from California, Ms. Sanchez. 

Ms. Sanchez. Thank you, Mr. Chairman. 

Thank you once again for being before us. I know that we had 
an opportunity, Chairman Cox and Chairman Camp and myself, to 
sit down with you about two or three weeks ago to discuss this 
whole list of 1,700 critical sites. I did gain a lot of information, but 
we were the only ones, and I know some of it is secret information. 
But I think for the ability for some of the committee members here 
today, if you could share with us what intelligence or other infor- 
mation is used to determine the priorities by which you are putting 
these critical pieces of infrastructure on this list that you are work- 
ing on. 

Once the infrastructure is prioritized, what happens to it when 
it is on this list? I know that you and I talked about how you dis- 
cuss this with local law enforcement, where this critical infrastruc- 
ture might be, and that they then are supposed to approach in par- 
ticular private businesses. Can you tell us how that is going? How 
do you follow up on whether anything gets done? Maybe some pri- 
vate business does not really respond to local law enforcement 
when they come forward and say you need to secure this particular 
area in a better way, and here might be some ways in which you 
could do that. Have you provided assistance to these local law en- 
forcement agencies to help them get that job done, of implementing 
it on the ground? 
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Mr. LISCOUSKI. Thank you for your question. I always enjoy the 
opportunity of explaining this methodology. Just to underscore the 
complexity of this effort, in working with the private sector and our 
colleagues on the state and local level, we have developed a meth- 
odology which we are putting out as widely as we can in terms of 
best practices, of understanding what those risks are and how to 
assess those risks. 

When we come up with a prioritized list, it is typically based 
upon a five-step process. The first step in that process is clearly 
identification of those assets, those things that need to be pro- 
tected. Although that sounds like a very simple thing to do, it is 
who owns those things, and really what is the definition that we 
are putting around that infrastructure component, what are the 
interdependencies. There is a significant amount of analysis that 
goes on to the front end of this process to identify the asset. 

Ms. Sanchez. And you are doing this? Or are you using the state 
and local people’s input into these assets in trying to understand 
what they are? 

Mr. Liscouski. It is actually all of that. It is DHS. It is our state 
and local partners. It is the private sector. This is a highly inter- 
dependent process. The second step in that process is clearly un- 
derstanding the vulnerabilities, what can be exploited. The third 
part of that process is understanding the consequence of the exploi- 
tation of that vulnerability. The consequence analysis is based 
upon a number of factors, not least of which is the consequence of 
loss of life or economic impact, or the threat to our national secu- 
rity. 

That gives us a prioritization around then what do we need to 
be looking at first, independent of a threat environment, because 
there are many different continuums upon which we have to oper- 
ate. But the baseline, the sort of steady-state continuum that we 
operate under is one which is an absence of threat. So we look at 
one from a vulnerability and consequence of loss perspective. 

The fourth step in our process is understanding what programs 
we have to put out around to remediating or mitigating those 
vulnerabilities. The fifth step, which if you asked about challenges, 
is the most challenging. That is the metrics component, the output, 
the output of understanding not just what programs are being im- 
plemented to address those vulnerabilities, but are they actually 
being implemented. More importantly, are they being implemented 
well enough to address the vulnerabilities themselves. 

Then we layer on top of that threat information. So as we get a 
better understanding of what vulnerabilities are, we then under- 
stand how groups can exploit those vulnerabilities based upon their 
capabilities and their intent, and our ability to understand from an 
intelligence perspective who is operating against us that might be 
targeting those vulnerabilities in a particular sector. 

That is how we prioritize them. We are actively engaging in re- 
vising that prioritized list to make sure that we can understand 
from a threat perspective what we need to address first. That is 
done in concert with our counterparts, particularly in the Informa- 
tion Analysis Division of IAIP and other members of the commu- 
nity, and then clearly with the ability to understand what is going 
on at the state and local level from their priority perspective. 
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One part of your question also addressed what are we doing to 
help state and locals. That becomes a part of what their capabili- 
ties are. We find out, again, the rising tide, so to speak, of DHS 
does not float all the boats. We have to ensure that we can address 
some specific gaps with the state and locals, particularly at the 
local level, again working with the homeland security advisers in 
partnership in addressing those gaps. DHS may provide best prac- 
tices. We may work with them on the ODP grant process, or we 
may go in there, depending on the specific sector and the specific 
vulnerability against the threat, to assist them in training and 
practical applications of technology to ensure that we can counter 
that threat. 

Ms. Sanchez. I think my time is up, Mr. Chairman. 

Mr. Thornberry. Does the gentlelady have a quick follow-up? 

Ms. Sanchez. A really quick follow-up. In looking through your 
plans and your goals for this year, I just pulled out an example. 
You had in there a desire to send out your team to take a look at 
about 270 specific sites with relationship to chemical possibilities. 
Of those 270, you have so far this year visited 17, two of which are 
now non-active sites. Given that record, just how far along are you 
on this plan of identifying and actually taking a look and making 
back recommendations? 

Mr. LISCOUSKI. Again, thank you the opportunity to address a 
misperception. The last number you just addressed, the 17 or the 
top-most identified critical sites that we saw around the United 
States from a chemical sector perspective, they were addressed in 
fiscal year 2003, actually. The ones that we thought we needed to 
have the greatest impact on very shortly, we did that very early 
on in the creation of DHS. The number actually of 360 sites we are 
addressing in fiscal year 2004 through our Buffer Zone Protection 
Plan. We have been very aggressively going out there and visiting 
sites, providing common vulnerability assessments. 

Our assistance to these sites is one which is either a physical 
visit, coordinated with state and locals and our homeland security 
advisers, in which we will send DHS teams out to conduct an as- 
sessment if we believe it is necessary, or we will provide other 
types of assistance, such as common vulnerability assessments, 
best practice methodologies, interaction with them in a way that al- 
lows them to bolster their own security without us having to actu- 
ally make a site visit, working with our state and local partners to 
do the site visits. 

We do not have enough bandwidth within DHS, nor was the 
model ever envisioned that we would actually go out and do assess- 
ments for the entire industry. We are working with our industry 
partners, with our state and local authority partners, to ensure 
that they know how to do vulnerability assessments and report 
that information back to us. So we are making very good progress. 
I do not have the exact number. I will be happy to get back to you 
on that number. But the number for fiscal year 2004 is on track, 
and I am putting significant pressure on my team to make sure 
they stick with that number. 

Ms. Sanchez. Thank you, Mr. Chairman. 

Mr. Thornberry. Thank you. 

Chairman Cox? 
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Mr. Cox. Thank you. 

I want to thank both of our witnesses for outstanding testimony. 
This is a very, very important aspect of what we are doing. In fact, 
I think it is fair to say that infrastructure protection, and IAIP is 
the heartbeat of this new Department. I want to thank you, the As- 
sistant Secretary, Mr. Liscouski, and Mr. Newstrom for helping us 
focus on this today. Mr. Liscouski, you and Secretary Ridge, Under 
Secretary Libutti and all the men and women of IAIP deserve our 
congratulations and our thanks for what you are doing in this crit- 
ical area. 

You have had to build your capability from scratch. This is not 
one of the 22 agencies that were merged together to form this De- 
partment. You have had to face enormous expectations through pe- 
riods of heightened alert and of course intense scrutiny from the 
Congress because there is nothing more topical or more urgent be- 
fore the Congress. I think mostly you get all of this attention be- 
cause IAIP is in fact the nerve center of this enormous new Depart- 
ment and you are the heart of the Department’s core mission. 

With 85 percent of what we are denoting as critical infrastruc- 
ture key assets to preserve our way of life in the event of attack 
in the private sector, this kind of coordination that we are talking 
about today is just absolutely important. The ISACs are not crea- 
tures of either the Homeland Security Act or any other Federal 
statute. To a certain extent, there is some experimentation going 
on with this. ISACs are constructed along an industry model. They 
are stovepipes in that respect. They are not cross-jurisdictional. We 
have other councils that you are also sharing information with that 
are cross-jurisdictional. 

I want to ask, as the first of my two questions, whether or not 
you think that we should continue this experimental practical R&D 
process, or whether it is time for us to formalize legislatively the 
ISAC process and fund it. The second question I have relates par- 
ticularly to a portion of your testimony, Mr. Newstrom. You 
brought to our attention that you know by way of your work with 
all the states that other Federal agencies, particularly those in the 
Departments of Justice and HHS, are issuing cyber alerts to their 
state and local programmatic counterparts, that these are not in- 
corporated into the national Cyber Security Division of DHS alert 
products. At the same time, there is not an intergovernmental 
warning process that focuses everything from one place in the Fed- 
eral Government. 

You bring to our attention that among others, the 9-11 Commis- 
sion has emphasized that it is not just how much we know, but 
how knows it, that is really important. The vastness of the Federal 
Government, complemented by the vastness of all our state govern- 
ments, and then the private sector on top of it and cross-jurisdic- 
tional concerns that we have makes this vitally important. 

Mr. Liscouski, you have told us, and I have every reason to be- 
lieve you, that DHS is now able to quickly disseminate threat 
warnings to identified entities within each sector. It seems to me 
that is a very significant accomplishment. The next step is to con- 
solidate warnings issued by IAIP to a single node for dissemination 
to our private partners. The ultimate step would be to consolidate 
warnings issued across the Federal Government to a single node, 
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which the Homeland Security Act contemplates. I want to ask you 
both also to address that. 

If you could, I hope that you did not forget my first question. 
Talk first about whether the ISAC model is one still under develop- 
ment and whether we ought to consider other complements to it, 
or whether we are starting to get a feel for exactly what we want 
to do in this area. 

Mr. Liscouski. Thank you, Chairman Cox. I will give you my 
private sector perspective, if I could, to add some fidelity around 
my thinking. I think it is important to understand, as I said ear- 
lier, this is not a government model. This really needs to be a pri- 
vate sector model. 

To your point about the formalization of the ISACs, I think they 
are clearly making some very, very good progress in developing a 
way that the industries can come together through the ISAC 
model. My philosophy that I am providing as guidance to the im- 
plementation of this and working with the ISACs and the private 
sector, is one which really puts the onus on them to define what 
their requirements are. 

For a moment, I just want to digress to talk a little philosophi- 
cally about how information flow goes within the industries, and 
how the information flow that goes through industries is oftentimes 
predicated upon what types of problems they solve. Because indus- 
tries themselves, companies themselves have many diverse prob- 
lems over which they have to share information as well. My per- 
sonal background within aFortune 50 firm that I worked for, was 
that we often looked at not just problems of manufacturing proc- 
esses and the threats that they might be subjected to. That might 
require us to go out to one information pool to figure out how we 
do that, but then the supply chain that feeds that manufacturing 
process might put us into a different information pool or a different 
community of interest. Similarly in the cyber world, that may also 
put us into another community of interest; similarly with the HR 
world. 

We have to provide the capability for the private sector to align 
itself with information or communities of interest based upon their 
needs. We need to facilitate that process as best we can. My fear 
in terms of legislating the ISACs would be from the perspective of 
making it more rigid than the process really should allow. Informa- 
tion flow really needs to be as free-flowing, and we need to, from 
my perspective, facilitate information flow processes. If we put la- 
bels on what that process is at a top level based upon some sector 
alignment, I think that is appropriate. If we get too down to a 
granular level, we will create artificial stovepipes that will not fa- 
cilitate the collaborative process between companies and between 
industries that is so necessary today. 

Industries create this process irrespective of what the govern- 
ment involvement is. That is why industry associations are out 
there. That is why we do things at a level between security officers 
between companies at a very high level to ensure we have very in- 
formal networks for information. I think the important model here 
is one that represents a very highly integrated network model, 
meaning that if you notice terrorist groups today operate in a high- 
ly networked environment themselves. They leverage technology to 
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be able to communicate and develop expertise in areas that they 
can share in a highly diverse networked way, which puts the infor- 
mation at the edges of their organization. 

Similarly with information we need to be sharing here in the pri- 
vate sector, facilitated by the government, needs to be equally di- 
verse and robust in terms of its flow. It has to be highly networked, 
highly capable of changing as situations change. Frankly, I do not 
think the government can facilitate that in any way that would 
allow us to do anything but create a stovepipe if we get too in- 
volved in the process. I would be interested in Mr. Newstrom’s 
comment about that. 

I think the government’s value-added in this process is relevant 
information. I think if we can provide information into the process 
that allows us to know with some degree of confidence that the pri- 
vate sector knows what they need to be doing and they are sharing 
information and solving the problems, we have ourselves a success- 
ful model. 

I think we are going to wind up having to look at this very care- 
fully. I think you are going to hear on the second panel today from 
Diane VanDe Hei how they are implementing their information- 
sharing analysis center in an extremely diverse sector. It is rep- 
resentative here. I think one thing we have to be careful of is, these 
sectors are extremely diverse and we have to ensure that whatever 
we create today can survive not just in what we know about cur- 
rent diversity, but emerging diversity. 

I do not know if that answered your question fully enough. I 
would be happy to add more, but I do not want to take any more 
from Mr. Newstrom’s time, but I would be happy to address this 
more. 

Mr. Newstrom. Thank you, Chairman Cox, for the question. I 
was hoping to get away without getting a question. Mr. Liscouski 
was doing such a great job in answering the others. 

Let me talk about the second part of that question, which was 
how it work together; what kind of fragmented information we are 
getting right now. As I say that, I also commented about how it has 
gotten substantially better. In fact, it has gotten exponentially bet- 
ter in the last 12 months since the inception of DHS and the cre- 
ation of ICD and NCSD. Prior to that, let me suggest the informa- 
tion flow was fragmented. It was not focused. Around cyber secu- 
rity, it almost did not exist or it was sporadic at best. 

Now, with ICD, with NCSC, what Mr. Yoran is doing, what Jim 
Caverly is doing, it is programmatic. It is institutionalized. Even 
better, they have developed a partnership model with state offi- 
cials, with local officials as well as the private sector. It is very ap- 
parent that that is the methodology, that is the direction that DHS 
is going. So we applaud that direction. We ask that we continue 
that direction. 

Certainly, there is still some fragmentation that I addressed in 
a couple of my comments. I hope that over a period of time, hope- 
fully of a short period of time, we can even address those. But I 
do want to comment that the communications in the last six to 
eight to twelve months has been substantially better than it was 
prior to that. 

Does that answer the question, Chairman Cox? 
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Mr. Cox. I think what Mr. Liscouski wants to know, let’s go to 
that question. 

Mr. Liscouski. Let me just address how we are trying to better 
coordinate. Let me just qualify this as a preface by saying, I clearly 
understand that there were gaps in our information flow in the 
past. We did not know what the FBI was sending out. The FBI did 
not know what we were sending out when we first got started, as 
well as all the other agencies. We addressed that very quickly with 
the FBI. We have coordinated alerts going on. We still may send 
them out independent channels. The FBI has the responsibility of 
sending it out to the state and local law enforcement authorities, 
over which DHS does not have domain, and we with the private 
sector and our state and homeland security advisers. 

We are reconciling the fact that the creation of the messages that 
go out now are coordinated and co-developed and cleared off on by 
both agencies. That is a step in the right direction. As Mr. 
Newstrom pointed out, we still have other agencies in the Federal 
Government that are sending out alerts, and we are reconciling 
that through the Homeland Security Presidential Directive Seven 
effort, which is really articulating some of the rules of the road, not 
just the lanes in the road, of how we need to communicate so we 
have a good message. 

In the past, I was concerned that when messages went out, one 
message said black, the other one said white, to the same audience 
from two different senders, that would cause confusion. Now, we 
may have two different senders or multiple senders, but a much 
more consistent message says white from all the senders or black 
from all the senders, so we have consistency around the messaging. 

To that end, and getting more consistency around that, let me 
just address a couple of different ways we are doing that. When it 
comes to a significant incident, particularly in the cyber arena, Mr. 
Yoran has created the Cyber Interagency Incident Management 
Group which stands up with not just the Federal partners, but 
state and local and the private sector to address incidents that 
have to be actively and dynamically managed. He chairs the Chief 
Information Security Officer Forum, or CISO Forum, which is an 
education and networking venue for government security execu- 
tives. Again, it is not just alerts and warnings, but we are getting 
consistency around best practices through that forum, as well as 
the G-FIRST, the Government Forum of Incident Response and Se- 
curity Teams, which is a 24/7 government-oriented group that does 
an analysis that accelerates and enhances an agency’s ability to 
identify a cyber crisis. 

So we have a number of forums, depending upon the particular 
audience, that gets more coordination and centralization of the 
problem-solving approach and the alert mechanisms that are going 
out there. We have work to do, but we are on the right path. I am 
confident that as we continue to move along this path, we will get 
more consistency, so that stakeholders like Mr. Newstrom and oth- 
ers will not have to worry about getting multiple messages from 
multiple providers. 

Mr. Cox. Thank you. 

Mr. Thornberry. The Chair recognizes the Ranking Member of 
the full committee, Mr. Turner. 
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Mr. Turner. Thank you, Mr. Chairman. 

Mr. Secretary, I continue to be amazed at the challenge that you 
face. I sometimes wonder if we are really serious about carrying 
out the task that was given in your directive in the Homeland Se- 
curity Act, which calls for development of that national assessment 
of threat and vulnerability, from which the Congress envisioned 
being able to then set priorities for funding, and also to allow the 
Department and the government generally to know where to allo- 
cate its resources in terms of protecting against terrorist attack. 

We know the Presidential Directive Number Seven that you re- 
ferred to postponed in my view the development of the identifica- 
tion of the critical infrastructure by at least, as I can read it, a 
year, because it says by the end of 2004, you are required to de- 
velop a plan to develop a strategy to identify, prioritize and protect 
critical infrastructure. I know Admiral Loy mentioned on one occa- 
sion that he thought this job ought to be done in a year. You were 
before this committee a few months ago. You said 5 years was a 
reasonable timetable. 

When we look at the staff that you have available to you, I be- 
lieve you have, if my numbers are correct, about 172 people on 
board, with the responsibility of trying to carry out this task of as- 
sessing and identifying our critical infrastructure. It just seems to 
me you have a task that really requires you to come in here and 
tell us what it is going to take to really get this job done in a rea- 
sonable period of time. I think I hear you saying to us that you are 
relying a lot on the ISACs and the voluntary cooperation of the pri- 
vate sector. That is good. That is important and I support you in 
that. But to really do what the Congress mandated in the Home- 
land Security Act in any reasonable time it seems to me it is going 
to require much greater commitment in terms of personnel to ever 
get this job done right. 

I look just at the chemical industry, where you mentioned you 
plan to visit, or have identified 360 sites that you think are at high 
risk. I think you visited a few of those sites. I think I saw the num- 
bers here earlier. You have a lot of work to do. I think I just heard 
you say you may not even be able to visit them all. You may rely 
on our state partners to do that. I am not even sure we have the 
authority to go look at those chemical sites, in terms of getting onto 
the premises and to evaluate them. 

So you have that responsibility that seems to be virtually in a 
posture where you are going to have a very difficult time accom- 
plishing it in any reasonable period of time. Then you have this re- 
sponsibility of trying to solicit information from the private sector 
under the Protected Critical Infrastructure Information Program 
that you have just issued rules on, which is supposed to encourage 
industry to voluntarily tell you about their vulnerabilities. Yet all 
I am hearing is that industry is not satisfied with the regulations 
and are not sure they can trust this agency, so they do not know 
if they want to tell you anything or not. You have 32 employees 
dedicated to that program, with collecting that sensitive informa- 
tion. The budget is $3.9 million. My notes say that we have only 
received information from two companies and two associations to 
date. 
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So I really think that what I would like to hear from you regard- 
ing is, what do you really, in your gut, feel it is really going to take 
to do this job in a reasonable period of time? I know it is easy to 
say, well, I have my budget and this is all they have given me to 
do this job and I am going to try to do it the best I can and put 
the best face on it I can. But you are the person there that is in 
charge of all this. What I would like to have from you is some can- 
did assessment regarding what you really need to do to get this job 
done in a reasonable period of time. I do not believe you have the 
staffing or the capability or the momentum or the support of the 
private sector yet to really ever get it done. 

Mr. LISCOUSKI. I was hoping you would ask me that question, be- 
cause this seems to me a perception we have to kill. The comment 
that I made last time, the first time I testified before you and said 
it was going to take us 5 years. I think that was taken entirely out 
of context. As I stated to Ms. Lofgren earlier, if we are doing our 
job right, we will continually revisit that process. The national as- 
sessment of our critical infrastructure is not just dependent upon 
what DHS is doing. It is clearly dependent upon what the state 
and local governments are doing; what the private sector is doing; 
and our other Federal agencies. 

That process has been ongoing and we have created a list. We 
started this process back in March 2003 with 160 sites based upon 
the Liberty Shield list that we stood up for, the Iraqi war back in 
March. We have grown that list to over 1,700 high priority sites, 
and a total list of 33,000 sites and are adding to it daily. We are 
continuing to add to it because we get a lot of input from our state 
and local partners and the private sector on what is critical and 
what is not. That list is going to continue to grow and we are doing 
assessments, both economic as well as physical and cyber vulner- 
ability assessments on all those. 

It is a significant amount of work, but I think we are making 
very good progress on it. And yes, we are wholly dependent upon 
the cooperation we get from the private sector and state and local 
government. But I will tell you right now, the private sector, and 
this is another perception that if I do nothing today but tell you 
how much the private sector has stepped up to the plate to help 
us and had been doing this long before DHS came along, they have 
been doing a heck of a job. When I was in the private sector, we 
regularly cooperated with state and local law enforcement and the 
Federal Government to ensure that we could coordinate and com- 
municate our vulnerabilities. 

So, is there hesitation? Yes, there is hesitation because it is a 
trust model that we have to build, but I think we have a good stab 
at it. We are doing a very good thing with the congressionally en- 
acted PC II. Are we getting a low response on it? I am thankful we 
are, because we have to do a lot of marketing and outreach to the 
private sector to ensure that we create the right model for them to 
ensure that they have the trust model for DHS, but I think the 
mechanism is there. The public comment period is still open, which 
I think will be open until mid-May. 

I am not surprised we had a slow start out of the block. I was 
hoping for a slow start out of the blocks because I was fearful that 
we would get too much information to be able to handle it. Thank- 
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fully, we have not. So I am very pleased with the mechanism we 
have created based upon congressional guidance to ensure that we 
could provide better protection for the private sector based upon 
their requests. I am confident that we will continue to grow that 
program over time. 

Let me just go back to the beginning of the question, the very 
first question. I would like to take as much time with you person- 
ally to get you to understand our methodology in this process. The 
quantification of the metrics that we are trying to use to get output 
from the activities that we are engaged in is one in which there 
still has to be some research on. When we look at critical infra- 
structure protection, there are three major components against 
which activities have to be applied: physical, cyber and people. 
When we look at the vulnerabilities that are represented in those 
broad domains, we very aggressively identify the assets the 
vulnerabilities represented in those assets across each one of those 
common themes, from people, physical, as well as cyber. We put 
programs to be able to remediate and lower those vulnerabilities. 

But the output and the measurement of what is being done, and 
to be candid with you, from a very private sector perspective, it is 
not just putting money into the program; it is making sure we have 
the right activities going on that can be consistently measurable 
and consistently applied over time, that the outputs can give us 
good indicators about what is being done, and not just what is 
being done and is not being done, but is it being done well enough 
to address the threat. 

My vision on this, and this is going to take some time because 
the technology does not exist yet, is to create a national scorecard 
that allows us to identify where are we in a given sector; how well 
does it look. Those metrics and that quantification of these things, 
which has never really been done before in the security industry, 
is something with which we have been working in the academic 
and the private sector on identifying. 

So to your point, my goals in terms of what we can do with this 
progress and this approach, is precisely to your point: identifying 
the key priorities; where do we need to put the funding stream; 
identifying who is doing what program and well, so with our Fed- 
eral partners in HSPD-7, we are working with OMB to ensure that 
we get the metrics outputs to ensure that if a department has X 
million dollars placed against a specific requirement, that they are 
performing that. And “performing” does not mean are they spend- 
ing money on time; “performing” means are they actually address- 
ing the vulnerabilities and reducing vulnerabilities, and is there a 
measurable way that we can identify the outputs to ensure that we 
get some high degree of confidence of how well we are doing our 
programs. 

So you are precisely on the right track in identifying what are 
the major priorities and challenges here, and that is exactly what 
we are addressing. It is not an overnight process. I am very pride- 
ful of the fact that what DHS has done over the past year has been 
something that we can measurably identify how we have addressed 
the vulnerabilities. It is more than just a few chemical sites. Across 
all the sectors, we have done a great job. The folks working for us, 
they have really worked hard and they are working hard. It is not 
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about DHS. It is about working with all of our Federal partners 
and state and local. 

So I think the things that we are doing, we can tell a good story. 
The biggest challenge we have is getting those metrics that allow 
us to in quantifiable terms measure the progress over time and 
identify the funding profile that you and your committee is so con- 
cerned about. We are doing the right thing and we can show what 
we are doing. 

Mr. Thornberry. I thank the gentleman. 

The gentleman from North Carolina, Mr. Etheridge. 

Mr. Etheridge. Thank you, Mr. Chairman. 

A couple of questions. Mr. Liscouski, I am going to start with you 
because you talked about the risk assessment vulnerabilities. Let 
me ask you one question. You talked earlier about coordination 
with other Federal agencies. What is the nature of the coordination 
between DHS and other Federal and state agencies as it relates to 
developing the national plan to deal with the appropriate counter- 
measures to combat agri-terrorism, which deals with our food sup- 
ply and a host of other areas. Can you give us an update on where 
that is? 

Mr. Liscouski. Yes, sir, I can. Recently, another Presidential Di- 
rective, HSPD-9 addressed bioterrorism and specifically the re- 
sponsibilities in the agricultural industry that needs to be ad- 
dressed by Agriculture and HHS and others that are partnering up 
in that space. We are coordinating that effort again under HSPD- 
7. I apologize for using these different directive numbers, but for 
critical infrastructure protection, to ensure that we have a holistic 
look on all the critical infrastructure sectors. 

So in direct response, I would say that this is an area that we 
really need to give some very sharp focus to in terms of not just 
working with state and locals, but with the Federal agencies and 
ensuring that Agriculture and HHS would have respective leads in 
this space, and have the appropriate outreach, the appropriate 
mechanisms to ensure that the state and local governments are 
doing what they need to be doing, and they are facilitating that 
process. 

Mr. Etheridge. I do not want to interrupt you, but do you have 
a timeline? 

Mr. Liscouski. A timeline for? 

Mr. Etheridge. Completion, or at least a marker of where we 
can work from. This happens to be very important, because it fits 
what you talked about and deals with our food supply, not only 
here, but internationally in what we ship. 

Mr. Liscouski. That specific plan is in process. I cannot give you 
an accurate timeline at this point because that plan is in process. 
I am afraid whatever I tell you today is going to be inaccurate. 

Mr. Etheridge. Would you get back to me? 

Mr. Liscouski. I welcome the opportunity. 

Mr. Etheridge. Let me follow that up, because it follows that 
same thinking to some extent. I will not ask that question, but I 
will just put it in so you can follow later, because it deals with, sev- 
eral years ago we had a problem with our school lunches and the 
food supply and the problems that fell out from that. Let me ask 
what DHS is doing as it relates to, you said earlier, its products, 
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facilities and people. We have seen in just the last couple of days 
what happened in Iraq with the bombing that took place there and 
a number of school children were killed. Can you tell me what is 
being done or what coordination is being done as it relates to our 
schools if a terrorist attack should hit? 

Because we are looking at millions and millions of children in 
this country who go to school every day. Many are in buildings, but 
a large number now find themselves in what we call makeshift 
trailers. I hate to call attention to it, but there is a tremendous 
problem because they are isolated. What is being done? Has any 
assessment been done as to the comparability of protection within 
a brick and mortar building, to students who happen to find them- 
selves, along with staff, in an isolated makeshift structure? 

Mr. Liscouski. Yes, sir. I can address that specifically. We have 
been working with the Department of Education, which as you 
know has a significant outreach capability broadly across the 
United States in K-12 as well as the university system. We met 
recently with Under Secretary McPherson and Deputy Under Sec- 
retary Price to incorporate them into our planning for HSPD-7, to 
directly ask them for their plan. In fact, we are working very col- 
laboratively with them. 

As you know, the education system is not identified as one of the 
critical infrastructure components of the Homeland Security Act, 
but we have the latitude of identifying other sectors as necessary. 
That sector is being addressed both directly and indirectly through 
my office’s Soft Targets Branch. We regularly look at soft targets, 
which schools are one of, to address those specific types of require- 
ments. 

I cannot tell you specifically if we have looked at the analysis in 
the school environment of the impact of a trailer versus brick and 
mortar. I know we have done that in others. 

Mr. Etheridge. Would you follow up on that? 

Mr. Liscouski. I certainly would, sir. 

Mr. Etheridge. I appreciate it. 

I know my time is almost up, but Mr. Newstrom, I have one for 
you. As Virginia’s Chief Information Officer, what specific support 
would you expect from DHS or other Federal agencies, for that 
matter, if you computer system was attacked and was down for 
more than several days, and you were out of business, knowing 
that you have to have an off-site facility, but let’s say it was dam- 
aged and out of space. Do you think the Federal Government could 
give you the expectations that you have? If so, what would you like 
to see us do? 

Mr. Newstrom. I am not sure that we look toward the Federal 
Government in that specific scenario. We have established backup 
plans. We have established backup facilities. We have been redun- 
dant in those facilities and those plans. We work on and practice 
those plans. We also go to the private sector to ensure that we have 
not only internal Commonwealth resources that are backups and 
redundancies, we also have backup with the private sector. 

From a Federal Government perspective, what I would see if 
there is a catastrophic outage in a region of the country. For in- 
stance, if there is an electrical outage; if there is a major telecom 
outage; I would ask that our resources work together very, very 
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closely on that. But on the normal outages that you described, I 
think it is our responsibility to address those. 

Mr. Etheridge. Thank you, sir. 

Thank you, Mr. Chairman. 

Mr. Thornberry. I thank the gentleman. 

The Gentlelady from the Virgin Islands, Mrs. Christensen. 

Mrs. Christensen. Thank you, Mr. Chairman. 

I want to welcome our witnesses this morning. I have a concern, 
as I always do, about where health fits into the picture. My first 
question would go to Mr. Liscouski. We had a hearing or a briefing 
about a month ago on ISACs. At that time, health was not estab- 
lished. In the GAO report which we will hear about in a little 
while, health is not listed. I am assuming that is because it is not 
established. 

Where are we? Is health not a priority in this area? Has some- 
thing happened between the last briefing and today? 

Mr. Liscouski. Yes, ma’am. I think the ongoing work that is in 
progress there is that we have been working with the general 
health sector, both within HHS and with the other more diverse 
components, to establish their ISAC. It is a work in progress. It has 
not been listed by GAO, nor is it on our list because it is a work 
in progress. We do not believe we have consensus around who es- 
tablishes what. I recall from my notes, and forgive me, I am not 
going to go through them, but I believe, as you well know, it is one 
of the more diverse communities in which to work. One of the chal- 
lenges is establishing leadership in that community within one par- 
ticular organization for the ISAC. 

My sense is, and I would be happy to correct this later in subse- 
quent research to get back to you in writing, but my sense is be- 
cause it is so diverse we may wind up creating many sub-compo- 
nents of the ISAC, which may be aggregated up into one larger 
health ISAC. It is clearly on our radar screen as a priority, ma’am. 
So I just indulge you to not make a judgment that it is not a pri- 
ority for us. It is. 

Mrs. Christensen. OK. Is there lead responsibility in the De- 
partment? Has that been identified? Or the divisional responsibility 
within DHS? 

Mr. Liscouski. The Infrastructure Coordination Division, of 
course, has the coordination requirement. Under HSPD-7, the sec- 
tor-specific agency is HHS. Correct me if I am wrong on that. I 
should know this off-hand. But there is a sector-specific agency es- 
tablished under HSPD-7 for the health sector. We are working 
with them to ensure that we have the sector aligned and coordi- 
nated to establish the ISAC. 

So to answer your question, yes, ma’am, there is a sector-specific 
agency responsibility for health. 

Mrs. Christensen. OK. Mr. Newstrom, is health fully integrated 
into NASCIO’s program within the State of Virginia? 

Mr. Newstrom. Health? 

Mrs. Christensen. The health sector. 

Mr. Newstrom. It is fully coordinated and integrated right now. 
We are still working with HHS particularly on some of the commu- 
nications capabilities through the states. They have a very good 
program within their sectors, but it is very programmatic. We are 
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encouraging HHS particularly to focus through NCSD to channel 
their communications to the states. Our entire issue is fusing the 
information, rather than the stovepipes that Mr. Liscouski has 
talked about. 

Mrs. Christensen. OK. 

Mr. Liscouski, you have said that there is a great reliance on the 
private sector in the development of the assessments, and 85 per- 
cent of the assets are owned by them. Are there any inherent con- 
flicts between the objectives of the private sector and the objectives 
of government and the Department that have been identified, that 
had to be resolved as this process has been developed? And how did 
you resolve them? 

Mr. Liscouski. No, ma’am. I think the biggest challenge we have 
had is on the information-sharing side, with the vulnerability as- 
sessments back from the private sector and back into DHS. That 
is what is being addressed through the Protected Critical Infra- 
structure Information Act, the implementation of that. 

As I pointed out earlier, to make a general statement, and you 
can always find exceptions to this, but the private sector is step- 
ping up to the plate of their responsibilities to ensure that they un- 
derstand what is vulnerable for them and in sharing that with 
state and local governments, those who are responsible for pro- 
tecting, and ultimately with DHS. So again, just to reiterate, I be- 
lieve the one challenge which I think we are addressing is the in- 
formation sharing between the private sector and DHS. 

Mrs. Christensen. OK. My last question, and you have probably 
been asked this both at the budget hearings and in several dif- 
ferent ways here today, but you said you do not have sufficient 
bandwidth to do the assessment. That is why the private sector is 
really responsible for doing that and getting that information to 
you. Other testimony says that DHS has limited resources. We 
have seen very close progress. A lot of the questions have been 
around when is the assessment going to be in place. You have said 
the synchronizing and harmonizing of disparate parts is something 
that is still ongoing, and getting a complete situational awareness 
picture is something that you are still working on. 

The Department has the primary responsibility for the protection 
of our critical infrastructure. I am just concerned that if these limi- 
tations exist and that we are not getting the full picture of what 
you really need in your budget to ensure that you are able to carry 
out the mandate of your directive and the Department. 

Mr. Liscouski. No, ma’am. I need to correct your statement. I do 
not mean to be presumptuous, but the comment I made about suffi- 
cient bandwidth is not relevant to do we have the capability and 
the necessary resources. We do. You could give me more money. It 
is not a money issue. What it is is that the information that has 
to be collected is not about what DHS can do. Nor would I suggest 
to you that this is a responsible role for the Federal Government 
to do it all. The Federal Government, and this is a national prob- 
lem, you would not create a mechanism as big as you would need 
to collect all the information you want. 

So the appropriate approach is the one that was created with the 
Department of Homeland Security, which is clearly a coordination- 
collaborative approach with our state and local partners, with other 
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Federal agencies to ensure that we can get them to do what they 
have to do. That is precisely what we are doing. It is leverage. It 
is not about bandwidth, necessarily. What I meant about band- 
width is all the things that would scope into that, time, and the 
enormity of the complexity of the task. 

This is not, do we need to have more resources at the Federal 
Government level to do all this work. This is about working with 
our partners and our stakeholders to get them to do what they 
need to be doing. That is the essence of this. At the end of the day, 
the questions and the concerns we need to be addressing here are 
developing and creating consistent sustainable programs which are 
effective and measurable over time, that can answer the big ques- 
tions of, are we protecting what we need to be protecting? And are 
we really doing it well? 

That is the process we are developing. Again, level-setting the ex- 
pectations here, this is not going to happen overnight. If I had a 
magic wand, if you all could tell me if there is one thing you could 
give to me that would allow me to do my job better, it would have 
to be a want that I could just broadly push across the United 
States and say, it’s protected. But it is a process. It is a process 
because our economic system and everything we have built in this 
country is predicated on being open. Our openness which is our 
greatest strength is our single biggest vulnerability. 

So it is an enormous thing to address. It is not about what DHS 
can do. It is about mobilizing the American public. It is about en- 
gaging with the private sector and the state and local governments 
to ensure that we all know what we have to do and we can meas- 
ure it in a way that we can tell with confidence that we are doing 
the right thing. 

So again, I just want to correct a misperception I have created, 
which is not about do I have enough resources. It is about we all 
have to mobilize at all the levels of Federal and state and local gov- 
ernments to do the right thing. 

Mr. Thornberry. I thank the gentlelady. 

The new member of the committee, the gentleman from Ken- 
tucky. Welcome. You are recognized for 5 minutes. 

Mr. Chandler. Thank you, Mr. Chairman. It is nice to be here. 

Mr. Liscouski, thank you for your testimony. Thank you for being 
here today. I am interested in some information regarding our ef- 
forts to protect and secure critical Federal facilities. For the past 
several decades in Central Kentucky, our citizens have lived next 
to a potentially dangerous chemical weapons stockpile. This is the 
Bluegrass Army Depot near Richmond, Kentucky. It contains well 
over 500 tons of chemical weapons, nerve gas, mustard gas, that 
sort of thing. 

In 1988, in its environmental impact statement, the Department 
of the Army identified that in a worst-case scenario, an incident 
that would occur at this depot could result in plus or minus 15,000 
fatalities in our area. So you can imagine that this is something 
of great concern to us. 

What I would like to know is what type of information-sharing 
activities are occurring right now between the Department of 
Homeland Security, the Department of Defense, state and local 
governments, first responders, all those folks, to ensure that we 
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prevent and are prepared to respond to an accident or a deliberate 
attack on facilities like this one, Federal critical infrastructures. 

Mr. Liscouski. Sir, you pointed out a key stakeholder in your 
question, and it is the Department of Defense which has responsi- 
bility for the defense industrial base and the supply chain that 
feeds that, and that is clearly a component of that. But we partner 
up very closely with DOD. They have a very robust capability on 
critical infrastructure as it relates to their facilities. Their partner- 
ship with state and local governments is something we have inte- 
grated our efforts with, as well as our response and recovery ef- 
forts. 

I can speak to them at a top level. As you well know, that is out- 
side my directorate, but working with state and local first respond- 
ers under the directorate for EP &R, I do not know if exercises 
have been held directly in that jurisdiction, but I can get back to 
you on that. 

Mr. Chandler. If you would, please do. That was another one of 
my questions, whether exercises would be held. I do not believe 
that they have been. I am very curious to know whether there are 
plans in the works to hold exercises to make sure that our folks 
are ready. 

Mr. Liscouski. Yes, sir. I would be happy to get back to you on 
that. 

Mr. Chandler. I appreciate that very much. You all are working 
with the Department of Defense, though, on these sorts of issues; 
working very closely, but as I understand it, you are not aware of 
precisely what has been going on. 

Mr. Liscouski. At that particular site, sir, I do not know. I can- 
not tell you that specifically. I would be happy to get back to you 
on that one. 

Mr. Chandler. OK. If I may just add one other question. You 
may want to get back to me on this as well. If there was an attack 
on that depot, we have already in place, and this is a team that 
pre-dated the creation of the Department of Homeland Security. It 
is the 41st Weapons of Mass Destruction Civil Support Team. It is 
based in Louisville, Kentucky. It is currently responsible for re- 
sponding to a disaster at that facility. I am interested in knowing 
whether DHS has gone back to that team and checked on working 
out some sort of information-sharing arrangement with them. 

Mr. Liscouski. Sir, I will have to get back to you on that. 

Mr. Chandler. OK. 

Mr. Liscouski. Thank you. 

Mr. Chandler. Thank you very much. 

Mr. Thornberry. I thank the gentleman. 

The gentleman from Maryland. 

Mr. Cardin. Thank you very much, Mr. Chairman. 

Let me thank both our witnesses for their testimony here today. 
I find it very informative and very helpful. 

I want to talk about the National Capital Region for one mo- 
ment, if I might. Tomorrow, the House of Representatives is going 
to be talking about the continuity of the House of Representatives 
in the event of an attack against us. I have many concerns about 
how well we are prepared in the National Capital Region itself. I 
know that there are committees that have worked on it. I know 



41 


there is cooperation between Maryland and Virginia and the Dis- 
trict of Columbia and the Federal Government. I am concerned 
somewhat that I believe the region that has been included in the 
studies are somewhat small, with a restricted number of counties 
within Maryland and Virginia. I represent Annapolis. I represent 
Baltimore. I know that there is an episode that occurs at a chem- 
ical plant in Baltimore and it will have an impact on the National 
Capital Region. I know that on any given day trying to get out of 
the nation’s capital is a challenge. If we have a national emergency, 
it is going to be impossible. 

I just want to get some assurances from you that clearly progress 
is being made here as to how we can prepared. We know that this 
is the seat of government. We know that it has been a target of 
terrorist attacks. We know the tremendous interests of this area in 
disrupting our government. So can you just share with us as to 
what special considerations are being made in regard to the Na- 
tional Capital Region and how it is affecting the surrounding juris- 
dictions beyond just the immediate counties in Virginia and Mary- 
land that are directly working with you. 

Mr. Liscouski. Sir, I appreciate your question. I am going to 
have to defer to Under Secretary Mike Brown who is responsible 
for the response requirements through the NCR. I can tell you just 
based upon my level of understanding and engaging on the critical 
infrastructure protection side, that I have knowledge that there are 
regular exercises being conducted throughout this region, which ad- 
dress some of the concerns you have. But to give you more con- 
fidence, I just request to defer that to Under Secretary Brown for 
a response. 

Mr. Cardin. Let me bring you into this discussion, because you 
are making assessments of the nation’s infrastructure sensitivities 
and priorities. I would just urge you that the Federal facilities lo- 
cated in the National Capital Region and surrounding areas are 
particularly vulnerable. The stress on local governments is particu- 
larly great. The chemical plants in Baltimore present an extra 
challenge. All chemical plants present challenges. The fact that it 
is located close to the nation’s capital makes it an even more sen- 
sitive target. The Federal facilities located in Annapolis or located 
along 1-95 close to the nation’s capital are particularly vulnerable 
because of location. 

As you are making your national needs assessment, is location, 
those types of considerations, going into the equation as to the type 
of fences that we need to put in place? 

Mr. Liscouski. Yes, sir, it is. We have been doing a lot of work, 
as you are probably well aware, with state and locals here in the 
National Capital Region, doing the assessments for the various in- 
frastructure components to include the Federal facilities. We have 
I think a robust capability there in understanding not just what we 
have to do to protect, but the actual protection of those facilities 
has been equally as robust. 

So yes, sir, to answer your question, we are working very closely 
with the state and locals. We understand that there are some limi- 
tations. We are trying to supplant those limitations through the 
ODP grant process, but we are working very closely with them. So 
from a protection standpoint, we have very good clarity around the 
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vulnerabilities that are here, as well as the protection require- 
ments that are needed to mitigate those vulnerabilities. 

Mr. Cardin. Did you want to respond? 

Mr. Newstrom. Congressman, in my written remarks I address 
the NCR specifically. In addition to what DHS is doing, the Gov- 
ernors of Virginia and Maryland and the Mayor of the District of 
Columbia have met together on this specific subject. In fact, be- 
cause of funding through and by DHS, we have an initiative called 
the Urban Area Security Initiative, which specifically focuses on 
the National Capital Region and first responders. We have come a 
long way since 9-11. 

Mr. Cardin. I was just going to point out that the concern we 
have with that is it s the restricted jurisdictions that can partici- 
pate within Maryland and Virginia. When you look at trying to 
evacuate people from the nation’s capital, you need to look beyond 
just the immediate counties in Maryland and Virginia. As you look 
at protecting infrastructures, you need to also look beyond those 
counties. 

If you live in Anne Arundel County, Maryland, where many peo- 
ple commute into Washington, D.C. or you live in Frederick Coun- 
ty, you are very much impacted also. We are concerned that there 
is a limited interest and it needs to be expanded. 

Let me let you continue on that. 

Mr. Newstrom. Congressman, you are absolutely right. I could 
not agree with you more. In fact, the initial steps were originally 
around communications and the lack of ability by policing entities 
from the different jurisdictions to be able to communicate during 
and after 9—11, including the military. So that was addressed very, 
very early. But around transportation and the issues that you 
bring up, we are still in the infancy stages of trying to define that. 

Mr. Cardin. I would just urge you to give it a higher priority. 

Thank you, Mr. Chairman. 

Mr. Newstrom. Yes, sir. 

Mr. Thornberry. I thank the gentleman. 

The gentleman from Washington. 

Mr. Dicks. Thank you. 

Mr. Liscouski, I am very concerned about something. It is my un- 
derstanding that your directorate has compiled a critical asset tar- 
get list for each state, and forwarded that list to each state’s pri- 
mary point of contact to begin planning security enhancement ac- 
tivities. I have reviewed this list of critical assets in Washington 
State and I am deeply concerned by several obvious omissions that 
fit well within the criteria presented. 

I have discussed this issue with my state’s homeland security ad- 
viser, who has told me that there was very little opportunity for 
comments and revisions coming from the state and local level. It 
is absolutely imperative that a list of critical infrastructure be de- 
veloped. I could do this. I think any member of Congress could sit 
down in about 10 minutes in their own district and write down a 
list of critical infrastructure. If you have 170 people down there, I 
cannot understand why it is taking so long to get this job done. I 
worry about the gaps. 

When you have a list that does not. . .you have the Seahawk 
Stadium, you have the Husky Stadium, but you do not have Safeco 
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Field, the Tacoma Dome, the Port of Seattle, the Port of Tacoma, 
Grand Coulee Dam. . .talk about a national icon. . .the Boeing 
Company and Microsoft. None of them are on the list, including the 
Puget Sound Naval Shipyard in my hometown of Bremerton, Wash- 
ington, which overhauls and repairs every major nuclear ship on 
the West Coast; the Trident Submarine base, we have nuclear mis- 
siles and nuclear weapons. 

What is going on here? This list that I saw is the most pathetic 
exercise I have ever seen since I have been up here. There are a 
lot of pathetic things I have seen in 28 years in Congress, but this 
is the worst I have ever seen. I could have done this myself and 
done a better job. I do not understand who is doing this. Who are 
they talking to? This is serious. It is not getting done and I am 
very concerned about it. Can you give me some assurance that we 
are going to get this thing straightened out, that somebody will 
talk to the people in the State of Washington? To General 
Lowenberg who is the Governor’s assistant, and get a credible list 
of things put on this thing? Why is this not happening? 

Mr. Liscouski. Thank you, Mr. Dicks. I am a little surprised at 
the characterization from the homeland security adviser that he 
has not been contacted or has not had any input. In fact, the pur- 
pose of sharing that list is to solicit the input. 

Mr. Dicks. But the list has already been put out. Here it is. They 
should have consulted with them before they put out the list. 

Mr. Liscouski. I will certainly get back to you to find out if they 
had or had not been consulted. 

Mr. Dicks. I have the list right here. None of these things are 
on there. This is like the crown jewels of Washington State. Every 
one of them is missing from this list. I just cannot believe that this 
is happening. 

Mr. Liscouski. Mr. Dicks, I just want to caution. We typically do 
not publicly disclose the assets on that list. So to talk about it in 
any degree of fidelity here, I would suggest — . 

Mr. Dicks. None of them are on there, so I have not discussed 
anything that is on there. 

Mr. Liscouski. To my point, I would be happy to discuss with 
you in a separate setting — . 

Mr. Dicks. To discuss the things that are not on there? 

Mr. Liscouski. Sir, to my point, I would be happy to discuss with 
you in a private setting where we can talk about specifically what 
is on the list and what is not on the list, but I do not think this 
is the appropriate forum right now. 

Mr. Dicks. Can you answer this question? Let’s go to the process. 
Why is this thing so screwed up? With all due respect, I do not get 
any sense of urgency here. 

Mr. Liscouski. There is a significant sense of urgency, sir. 
Again, without commenting on the specifics of that list, I will go 
back and review the process and I would be happy to sit down with 
you and talk to you about how that list was developed. If there are 
gaps, we would be happy to correct them. The mandate is for my 
folks to make sure we absolutely engage with all the respective 
stakeholders at the state and local sectors to ensure we have it 
right. I will be happy to review it and get back to you, sir. 

Mr. Camp. Would the gentleman yield just for a brief moment? 
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Mr. Dicks. Yes, I yield. 

Mr. Camp. The subcommittee did hold a classified briefing where 
the Secretary did bring the full list. It was available for all mem- 
bers to review who attended that briefing. I would be happy to 
work with you to try to make sure so that not only there, but other 
places — . 

Mr. Dicks. The list that we have right here, this is not — . 

Mr. Camp. It is classified, so we did not take any paper out of 
the room, but I know that Ms. Sanchez was there and it might 
have been difficult for other members’ schedules to attend that par- 
ticular classified briefing. I know the Chairman was there and oth- 
ers. But we had an opportunity to review this list and we all looked 
at various assets from our states and made comments. 

Mr. Dicks. Apparently we were only given 24 hours notice of 
that, but I appreciate the fact that you did it. I do not want to be 
critical of that. 

Mr. Camp. We did have more notice than that because we 
worked on it for a long time to get it put together. So I would dis- 
pute that it was only 24 hours notice, frankly. 

Mr. Dicks. That is the actual time of the meeting. 

Mr. Camp. Yes. 

Ms. Sanchez. Would the gentleman yield? 

Mr. Dicks. Yes, I yield. I am just worried about this. 

Mr. Camp. We did have an opportunity to look at that. 

That is just my point. Thank you. 

Mr. Dicks. OK. I yield. 

Ms. Sanchez. We are trying, I believe, to set up another meeting 
with more notice to do the same thing. It is a classified list. There 
are things that are omitted from that list, even from my own dis- 
trict. You only get to look at it when you are in there, but hopefully 
you can attend the meeting; you can take a look at what is really 
on the list. I do not know if that list is what is the list that we 
took a look at when we were in the private meeting. 

Mr. Dicks. Maybe there is a separate list that we were not told 
about. This is what I was presented. The reason I am concerned 
is there are a lot of things that should be on that list that are not 
on there. 

Mr. Liscouski. Sir, maybe if I can just have one final comment, 
without drawing this out. The states were required to submit their 
list, sir, so I suspect if we did not receive their input, and again 
I will go back to our group to address this, but there are a couple 
of different reasons as to why the list you may have, it may be old 
or out of date, I am not quite sure what, but we did not do any- 
thing without the state’s input, sir. 

Mr. Thornberry. Does the gentleman yield back? 

Mr. Dicks. Just for one second. The list we have is the list that 
was given to the Adjutant General. He was quite concerned about 
it and made that clear and made it clear to us, the members of the 
delegation for the State of Washington, that he was quite upset 
about it. Washington State has been as forward-leaning as any 
state that I know of. They have done a complete statewide plan. 
In that plan, it talked about all these other issues that I mentioned 
that are not on this list. So to me, I just hope we can get this 
straightened out. 
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Mr. Thornberry. I thank the gentleman. This is obviously not 
an issue before my subcommittee. It is Mr. Camp’s subcommittee. 
When we are talking about information sharing, if there are classi- 
fied lists that are floating around in a way that classified informa- 
tion is not supposed to be handled, I am a little concerned about 
that. 

Mr. Camp. Would the Chairman yield? 

Mr. Thornberry. Sure. 

Mr. Camp. I would be very concerned if the Adjutant General is 
sharing that list in that format in an unclassified way, frankly. 
That is not appropriate. So if that is the way that information is 
getting out, I would question its accuracy and I would certainly 
question the process. 

Mr. Dicks. It was not presented to him in a classified format. 

Mr. Camp. It is probably not the correct list. So I think what we 
need to do is have another classified briefing. 

Mr. Dicks. We have to sort this out. I will glad to apologize to 
anyone if this is not the list, because when I saw this list I frankly 
was outraged, as you can tell. 

Mr. Camp. The purpose of the meeting was to make sure that 
members did have an opportunity to review lists from their states, 
because we do think that it was in a classified setting inside the 
skiff so that it was a confidential meeting. I will be glad to work 
with the gentleman to try to set up an opportunity. 

Mr. Dicks. Let me just for the record, the person who presented 
this list to the state was James McDonnell, Protective Security Di- 
vision, U.S. Department of Homeland Security. 

Mr. Camp. It may not be a complete listing of all of the assets 
on the classified list. We will get to the bottom of it. 

Thank you, Mr. Chairman. 

Mr. Dicks. I appreciate the gentleman’s help. 

Mr. Thornberry. We are ready to move to the second panel. 
Does the gentlelady from Texas have questions she would like to 
ask of this panel? 

Ms. Jackson-Lee. Yes, I do. 

Mr. Thornberry. The gentlelady is recognized. 

Ms. Jackson-Lee. Thank you very much, Mr. Chairman. I was 
in a hearing with both the Chairpersons and the Chairman of the 
full committee that I hope we will have, and that is with Secretary 
Powell and Governor Ridge on the request for an extension of the 
biometric passport. So I apologize to the witnesses for my delay, 
but let me just ask one pointed question to the Assistant Secretary. 

Just for your information, I know many of us come from areas 
that have their own critical infrastructure, but coming from Hous- 
ton, Texas obviously the refineries and the chemical plants are very 
well known. In fact, in the last four to six weeks, we had yet an- 
other explosion in the area that impacted neighborhoods and im- 
pacted people. We are grateful that it was a technical or an infrac- 
tion that had nothing to do with terrorism, but you can imagine the 
sensitivity to this issue. 

So let me just cite specifically what we seek. I think that you 
may be aware of a recent news program that highlighted the condi- 
tions of chemical plants, and I might say the outrageous condition 
of chemical plants, open gates, lack of guards, dilapidated fences, 
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all allegedly protecting chemicals that could potentially kill or in- 
jure tens of thousands or even millions of people nearby. 

We know the ISACs are working on communication. I under- 
stand that DHS is developing a best practices, but it is hard to 
imagine that every plant manager does not already know or that 
we cannot simply get out a manifesto to every plant manager by 
way of inventorying all of these plants wherever they might be, 
that closing the gates around tanks of chlorine gas a mile from a 
school is a best practice. 

So my question is, how can we secure the homeland when even 
these simple tasks are not being done? One, has your particular 
area done the risk assessment that many of us have been calling 
on for a long, long, long time? Have you done that in the context 
of getting out the simple to-dos, such as closing fences, fixing gap- 
ing holes in fences, providing some kind of lock system, trained se- 
curity personnel? And do we have a manifesto of sorts, a document 
that can easily be understood by the myriad of chemical operations 
around the country? 

I can assure you that we in Houston and the parameters of our 
area have been faced with explosions throughout our lifetimes. We 
have been fortunate that it has not been the massive catastrophes 
that a terrorist act could bring about, but we have lost lives. So I 
am very concerned, one, that we still sit here in 2004 without a 
risk assessment. I would ask you if you could respond to that, as 
well as any simple tasks that have been given to these operators 
of these plants that they could be implementing as we speak. 

I thank the distinguished Chairman. 

Mr. Liscouski. Yes, ma’am. Thank you. I addressed this earlier 
and I would be more than happy to do it again when we talk about 
the national assessment. 

Ms. Jackson-Lee. I thank you for your indulgence. 

Mr. Liscouski. This notion of a national assessment is some- 
thing we have discussed many times. It is ongoing. We are making 
significant progress in compiling our national asset database. As I 
mentioned earlier, when DHS was first created back in March of 
2003, we had started off with a list of about 160 critical sites in 
the United States that we thought were the high priority targets. 
We quickly grew that to 1,700. Out of a list of 33,000 assets that 
we have currently identified, we are still getting information back 
from the state and locals about what their priorities are and what 
should be on that list. That list is growing. 

We are prioritizing those activities. As it specifically relates to 
the chemical sector, we have identified out of the 4,012 sites 
around the United States that we believe are those that require the 
top tier. Not top tier, but of the 4,000 sites we have identified, this 
year alone we are addressing the 360 sites around the United 
States that need to address their security. We are addressing that 
in a variety of ways. 

First of all, let me just qualify. The issue here is not just a pri- 
vate sector problem, but this is a state and local government and 
private sector problem. It needs to be a totally integrated plan. We 
are working with state and local authorities, as well as the private 
sector to put out best practices. To that end, we have done a vari- 
ety of things. 
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We have put out common vulnerability assessments and shared 
those with best practices perspectives. 

Ms. Jackson-Lee. Mr. Secretary, may I do this, because as you 
indicated I came in and you had already indicated that. Let me just 
be pointed. 

Mr. Liscouski. Sure. 

Ms. Jackson-Lee. Have you in any way secured the transcript 
of that program, 60 Minutes? Have you visited any of those plants, 
because they seem to be the worst-case circumstances. If I may 
make a comparison, though it is probably an unreal comparison, 
over the last 24 hours we had a number of bombings at Iraqi police 
stations. That seems to be a notable target. Maybe our allies and 
Coalition forces should be having an inventory of police stations, 
knowing that they are targets. 

We know that chemical plants can be targets. There are atro- 
cious activities going on, maybe for lack of direction. Have you gone 
out into the field and visited these plants? When you say “ongoing 
risk assessment,” I can only say to you that “ongoing” is positive 
to the effect that we always believe we should continue to learn, 
but it is not positive from the perspective of the crisis of terrorism 
in this country. So when will we finish the risk assessment? Have 
you been to these plants and given them any direction? 

Mr. Liscouski. Yes, ma’am, we have. 

Ms. Jackson-Lee. I am sorry? 

Mr. Liscouski. Yes, ma’am, we have been to the plants. We have 
been to plants specifically in your jurisdiction, in fact, and I would 
be happy to share those details with you in a different venue other 
than this. We have been very aggressive about the prioritization of 
chemical plants. It is a top priority for us. We recognize the 
vulnerabilities. We are working with the industries, state and local 
governments, as I pointed out. We have buffer zone protection 
plants in place. We have shared best practices for vulnerability as- 
sessments. We have shared common characteristics of terrorist 
operational patterns with both the industry and state and local 
governments. 

So I am quite confident that we are addressing it. To your point, 
we are in a continuous improvement process. Unfortunately, those 
remarks get taken out of place. You always ask me, am I satisfied? 
I am never satisfied. I think it is one of the reasons I got this job. 
It is because you never want to be satisfied with where you were. 
We never want to become complacent. 

So we are in a continuous improvement mode. Will we ever be 
finished? We are going to continuously improve our ability to pro- 
vide protection in this country of ours, because this is an incredibly 
complex problem. It is not just about what the plants are doing. It 
is how are the groups themselves evolving their techniques and 
their capabilities? So this is a multi-dimensional process. This is 
not just one which becomes static to say, put up a 12-foot-high 
fence and you have security, because we know that terrorists can 
get a 15-foot-high ladder. 

So we are continuously looking at what we need to be doing here 
to improve security. I know you are very sensitive to that. I appre- 
ciate your comments. I would be happy to share with you with 
more fidelity about what we are doing. I know we have done that 
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many times with the staff up here. If you have not had the benefit 
of a briefing, I would offer that to you. 

Ms. Jackson-Lee. Mr. Chairman, I thank you very much. I will 
accept your offer, Mr. Secretary. I would like to talk specifically 
about the region and what you have done in that area. I thank you 
very much. 

Mr. LISCOUSKI. Terrific. Thank you. 

Mr. Thornberry. I thank the gentlelady. I thank both of our 
witnesses. 

I am going to submit my questions in writing to the witnesses. 
Mr. Liscouski, if we could have a similar agreement with you as 
we had before, and that is a real effort to try to get answers to 
written questions in two weeks. I understand it is not completely 
within your control, but if you can help push on your end, I think 
it will help relations with all members. We will also try to limit the 
number of questions. 

Secretary Newstrom, let me also encourage you on behalf of your 
organization to continue to discuss with us not just how much we 
have improved, but what yet needs to be improving, because it is 
only by identifying those areas that we still need to make progress 
on, giving little pushes here and there, that we can, as Mr. 
Liscouski said, though we will never be satisfied, we can continue 
to improve. I think you hit on some key points in your testimony. 

With that, let me thank both these witnesses. You are both ex- 
cused. We will go ahead and bring up the next witnesses. We 
should have votes starting soon, but we will press on until the bells 
make us recess. 

So thank you both. You are both excused. 

Mr. Newstrom. Thank you. 

Mr. Thornberry. Let me thank the members of the second panel 
for your patience. Obviously, there is a lot of interest in this issue. 
I have no doubt we will need to recess for votes here in a moment 
and come back. We will do that. 

As you all are getting situated, I will introduce our next panel, 
which includes Mr. Robert Dacey, director, information security 
issues for the General Accounting Office; our former colleague, 
Hon. Dave McCurdy, executive director of Internet Security Alli- 
ance; and Ms. Diane VanDe Hei, vice chair, Information Sharing 
and Analysis Center Council. 

Mr. Dacey, I think you are first. Would you like to submit a sum- 
mary of your statement before we go and vote? If you could do that 
within 5 or 6 minutes, then we will go ahead and do that, and then 
we will have to come back for the other witnesses. Thank you again 
for being here, and you are recognized. 

STATEMENT OF ROBERT DACEY, DIRECTOR, INFORMATION 
SECURITY ISSUES, GENERAL ACCOUNTING OFFICE 

Mr. Dacey. Thank you, Mr. Chairman and members of the sub- 
committee. I am pleased to be here today to discuss the status of 
ISACs, including the initial results of our ongoing review which we 
are performing at the request of the subcommittees. As you re- 
quested, I will briefly summarize my written statement. 

Beginning with PDD-63, Federal policy has encouraged the vol- 
untary creation of ISACs as key information-sharing mechanisms 
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for the private sector entities and state and local governments that 
own and operate most of the nation’s critical infrastructures, and 
for the Federal Government. Further, Federal policy established 
specific infrastructure protection responsibilities for the Depart- 
ment of Homeland Security and other Federal agencies. 

Although their missions are similar, the current ISACs were es- 
tablished and developed based upon the unique characteristics and 
needs of their individual sectors. Consequently, they operate under 
different management and operational structures and have dif- 
ferent operational capabilities, which are summarized in our writ- 
ten statement and include, number one, various business models 
such as private entities, parts of associations, or a partnership with 
the Federal Government. Many also use contractors to support 
their operations. They also vary in the nature of the hazards that 
are covered, such as cyber, physical or all hazards, which would 
also include natural events. 

The second major point is the various funding mechanisms that 
exist. They may be funded through special fee-for-service activities 
including tiered levels, association sponsorship, Federal grants, or 
voluntary or in-kind operations by the participants. 

The third major difference is the models or methods by which 
they share information. While most have electronic information 
shared via email and Web sites, some of which are secured, others 
have regular conference calls for their members, and some have es- 
tablished facilities for quickly organizing crisis conference discus- 
sions. 

DHS and the sector-specific Federal agencies have undertaken a 
number of efforts to support the ISACs and to build the public-pri- 
vate partnership called for in Federal CIB policy. Mr. Liscouski 
earlier today discussed at some great length the efforts being taken 
by the Department. 

In addition, the sector-specific agencies are also taking actions, 
including funding, to help ISACs increase their memberships and 
improve their analytical and communications capabilities. Nonethe- 
less, according to ISAC representatives and the ISAC Council 
which is also represented on this panel, a number of challenges re- 
main to their successful establishment, operation and partnership 
with DHS and other Federal agencies. These challenges include in- 
creasing the percentage of sector entities that are members of the 
ISACs; two, building trusted relationships and processes to facili- 
tate information sharing; three, overcoming barriers to information 
sharing; four, clarifying roles and responsibilities of the various 
governmental and private sector entities involved in protecting our 
critical infrastructures; next, funding ISAC operations and activi- 
ties; and utilizing sector expertise. 

According to a DHS official, these issues are being considered by 
the Department and should be clarified with the development of a 
plan that will lay out the current relationships, goals for improving 
them, and methods for measuring progress. To help ensure that a 
comprehensive and trusted information-sharing process is estab- 
lished, it will be important to consider input from all appropriate 
stakeholders and to agree upon the respective roles, responsibil- 
ities, relationships and expectations of the parties. 
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Mr. Chairman, this concludes my statement. I will be pleased to 
answer any questions that you or other members of the sub- 
committee may have. 

[The statement of Mr. Dacey follows:] 

Prepared Statement of Robert F. Dacey 
United States Gengeral Accounting Office 

CRITICAL INFRASTRUCTURE PROTECTION 

Establishing Effective Information Sharing with Infrastructure Sectors 

Messrs. Chairmen and Members of the Subcommittees: 

I am pleased to be here today to discuss the status of private-sector information 
sharing and analysis centers (ISACs) and their efforts to help protect our nation’s 
critical infrastructures. Critical infrastructure protection (CIP) activities called for 
in federal policy and law are intended to enhance the security of cyber and physical, 
public and private infrastructures that are essential to national security, national 
economic security, or national public health and safety. Beginning with Presidential 
Decision Directive 63 (PDD 63) issued in May 1998, federal policy has encouraged 
the voluntary creation of ISACs to facilitate private-sector participation and serve 
as mechanisms for gathering, analyzing, and appropriately sanitizing and dissemi- 
nating information to and from infrastructure sectors and the federal government. 
Subsequent federal CIP policy, including several national strategies, continued to 
emphasize the importance of the ISACs and their information-sharing functions. 1 
Further, CIP policy has established specific responsibilities for the Department of 
Homeland Security (DHS) and other federal agencies with respect to public-private 
collaboration to help protect private infrastructure sectors. 

In my testimony today, I will discuss the management and operational structures 
used by the ISACs, including their estimated sector participation, business and 
funding models, and information sharing and analysis mechanisms. I will then dis- 
cuss activities by DHS and other federal agencies with responsibilities for specific 
infrastructure sectors to interact and support the ISACs. Lastly, I will discuss some 
of the ISAC identified challenges to and successful practices for their establishment, 
operation, and partnership with the federal government. 

As agreed, this testimony includes initial results of our ongoing analysis of pri- 
vate-sector ISACs, which was requested by your subcommittees. In conducting this 
work, we contacted officials for the 15 different ISAC organizations that had been 
established at the time of our review: Chemical, Electricity, Energy, Emergency 
Management and Response, Financial Services, Food, Information Technology, 
Multi-State, Public Transit, Real Estate, Research and Education, Surface Transpor- 
tation, Telecommunications, Highway, and Water. Through structured interviews 
with these officials, we obtained and analyzed information to describe the ISACs’ 
current organization and operational models, funding mechanisms, sector represen- 
tation and membership criteria, as well as their challenges and successful practices 
in establishing effective information-sharing relationships within their sectors and 
with the federal government. We also contacted officials of the Healthcare Sector 
Coordinating Council to discuss their efforts to establish an ISAC for the healthcare 
sector. Further, we contacted officials of the ISAC Council, which was created by 
11 ISACs to address common issues, and obtained and analyzed its series of white 
papers on a range of ISAC-related issues and challenges. Within the federal govern- 
ment, we obtained and analyzed information on efforts to work with the private-sec- 
tor by DHS and other agencies assigned responsibilities for specific industry sectors, 
including the Departments of Agriculture, Energy, Health and Human Services, and 
the Treasury and the Environmental Protection Agency. We did not validate the ac- 
curacy of the data provided by the ISACs, DHS, or other agencies. We performed 
our work from November 2003 to April 2004, in accordance with generally accepted 
government auditing standards. 

Results in Brief 


1 The White House, The National Strategy to Secure Cyberspace (Washington, D.C.: February 
2003); The National Strategy for the Physical Protection of Critical Infrastructures and Key As- 
sets (Washington, D.C.: February 2003); and Homeland Security Presidential Directive 7, Crit- 
ical Infrastructure Identification, Prioritization, and Protection (Washington, D.C.: Dec. 17, 
2003). 
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Beginning with PDD 63, federal policy has encouraged the voluntary creation of 
ISACs as key information-sharing mechanisms between the federal government and 
critical infrastructures. While PDD 63 suggested certain ISAC activities, CIP policy 
has essentially left the actual design and function of the ISACs to the entities that 
formed them. As a result, although their overall missions are similar, the current 
ISACs were established and developed based on the unique characteristics and 
needs of their individual sectors. They operate under different management and 
operational structures and, among other things, have different business models and 
funding mechanisms. For example, most are managed or operated as private entities 
with some, such as the Water and Chemical ISACs, part of associations that rep- 
resent their sectors. Others have partnered with government agencies, such as the 
Telecommunications ISAC, which is a government-industry operational and collabo- 
rative body sponsored by DHS’s National Communications Systems/ National Co- 
ordinating Center (NCC). Different funding mechanisms used by the ISACs include 
fee-for-service, association sponsorship, federal grants, and/or voluntary or in-kind 
operations by ISAC participants. Examples of fee-for-service funding include the Fi- 
nancial Services, Information Technology, and Water ISACs that offer tiered mem- 
berships with fees based on the level of service provided. 

DHS and the sector-specific agencies have undertaken a number of efforts to ad- 
dress the public-private partnership called for by federal CIP policy and continue 
to work on their cooperation and interaction with the ISACs and with each other. 
For example, in January 2004, DHS held a 2-day conference to describe the informa- 
tion they are analyzing and its use in the partnership with the private sector and 
to discuss information sharing between the federal government and the private sec- 
tor. Also, in February, the department established the Protected Critical Infrastruc- 
ture Information (PCII) Program that enables the private sector to voluntarily sub- 
mit infrastructure information to the government, which can be protected from dis- 
closure according to provisions of the Critical Infrastructure Information Act of 
2002. 

According to ISAC representatives and a council that represents many of them, 
a number of challenges remain to their successful establishment, operation, and 
partnership with DHS and other federal agencies. These challenges include increas- 
ing the percentage of sector entities that are members of the ISACs; building trust- 
ed relationships and processes to facilitate information sharing; overcoming barriers 
to information sharing, including the sensitivity of the information, legal limits on 
disclosure (such as Privacy Act limitations on disclosure of personally identifiable 
information), and contractual and business limits on how and when information is 
disclosed; clarifying the roles and responsibilities of the various government and pri- 
vate sector entities involved in protecting the critical infrastructures; and funding 
ISAC operations and activities. According to a DHS official, these issues are being 
considered and should be clarified through the department’s development of a plan 
that documents the current information-sharing relationships between DHS, the 
ISACs, and other agencies; goals for improving that information sharing relation- 
ship; and methods for measuring progress. 

Background 

As reliance on our nation’s critical infrastructures grows, so do the potential 
threats and attacks that could disrupt critical systems and operations. In response 
to the potential consequences, federal awareness of the importance of securing our 
nation’s critical infrastructures, which underpin our society, economy, and national 
security, has been evolving since the mid-1990s. For example, issued in 1998, Presi- 
dential Decision Directive 63 (PDD 63) described the federal government’s strategy 
for cooperative efforts with state and local governments and the private sector to 
protect the systems that are essential to the minimum operations of the economy 
and the government from physical and cyber attack. In 2002, the Homeland Secu- 
rity Act created the Department of Homeland Security, which was given responsi- 
bility for developing a national plan; recommending measures to protect the critical 
infrastructure; and collecting, analyzing, and disseminating information to govern- 
ment and private-sector entities to deter, prevent and respond to terrorist attacks. 

More recently, issued in December 2003, HSPD-7 defined federal responsibilities 
for critical infrastructure protection, superseding PDD 63. 

CIP Policy Has Continued to Evolve 

Federal awareness of the importance of securing our nation’s critical infrastruc- 
tures has continued to evolve since the mid-1990s. Over the years, a variety of work- 
ing groups has been formed, special reports written, federal policies issued, and or- 
ganizations created to address the issues that have been raised. Key documents that 
have shaped the development of the federal government’s CIP policy include: 

• Presidential Decision Directive 63 (PDD 63), 
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• The Homeland Security Act of 2002, 

• The National Strategies for Homeland Security, to Secure Cyberspace and for 
the Physical Protection of Critical Infrastructures and Key Assets, and 

• Homeland Security Presidential Directives 7 (HSPD-7) and 9 (HSPD-9). 

Presidential Decision Directive 63 Established an Initial CIP Strategy 

In 1998, the President issued PDD 63, which described a strategy for cooperative 
efforts by government and the private-sector to protect the physical and cyber-based 
systems essential to the minimum operations of the economy and the government. 
PDD 63 called for a range of actions that were intended to improve federal agency 
security programs, improve the nation’s ability to detect and respond to serious com- 
puter-based and physical attacks, and establish a partnership between the govern- 
ment and the private-sector. Although superseded in December 2003 by HSPD-7, 
PDD 63 provided the foundation for the development of the current sector based 
CIP approach. 

To accomplish its goals, PDD 63 established and designated organizations to pro- 
vide central coordination and support, including the National Infrastructure Protec- 
tion Center (NIPC), an organization within the FBI, which was expanded to address 
national-level threat assessment, warning, vulnerability, and law enforcement inves- 
tigation and response. 

To ensure the coverage of critical sectors, PDD 63 identified eight infrastructures 
and five functions. For each of the infrastructures and functions, the directive des- 
ignated lead federal agencies, referred to as sector liaisons, to work with their coun- 
terparts in the private-sector, referred to as sector coordinators. Among other re- 
sponsibilities, PDD 63 stated that sector liaisons should identify and access eco- 
nomic incentives to encourage sector information sharing and other desired behav- 
ior. 

To facilitate private-sector participation, PDD 63 also encouraged the voluntary 
creation of information sharing and analysis centers (ISACs) to serve as mecha- 
nisms for gathering, analyzing, and appropriately sanitizing and disseminating in- 
formation to and from infrastructure sectors and the federal government through 
NIPC. PDD 63 also suggested several key ISAC activities to effectively gather, ana- 
lyze, and disseminate information — activities that could improve the security pos- 
tures of the individual sectors and provide an improved level of communication 
within and across sectors and all levels of government. These activities are: estab- 
lishing baseline statistics and patterns on the various infrastructures; serving as a 
clearinghouse for information within and among the various sectors; providing a li- 
brary of historical data for use by the private-sector and government, and reporting 
private-sector incidents to NIPC. 

The Homeland Security Act of 2002 Established the Department’s CIP Re- 
sponsibilities 

The Homeland Security The Homeland Security Act of 2002, signed by the Presi- 
dent on November 25, 2002, established DHS. To help accomplish its mission, the 
act Act of 2002 Established the established five under secretaries, among other enti- 
ties, with responsibility over directorates for management, science and technology, 
information analysis and infrastructure protection, border and transportation secu- 
rity, and emergency preparedness and response. 

The act made the Information Analysis and Infrastructure Protection (IAIP) Di- 
rectorate within the department responsible for CIP functions and transferred to it 
the functions, personnel, assets, and liabilities of several existing organizations with 
CIP responsibilities, including NIPC (other than the Computer Investigations and 
Operations Section). 

IAIP is responsible for accessing, receiving, and analyzing law enforcement infor- 
mation, intelligence information, and other threat and incident information from re- 
spective agencies of federal, state, and local governments and the private-sector, and 
for combining and analyzing such information to identify and assess the nature and 
scope of terrorist threats. IAIP is also tasked with coordinating with other federal 
agencies to administer the Homeland Security Advisory System to provide specific 
warning information along with advice on appropriate protective measures and 
countermeasures. Further, IAIP is responsible for disseminating, as appropriate, in- 
formation analyzed by DHS within the department, to other federal agencies, to 
state and local government agencies, and to private-sector entities. 

Moreover, as stated in the Homeland Security Act of 2002, IAIP is responsible for 
(1) developing a comprehensive national plan for securing the key resources and 
critical infrastructure of the United States and (2) recommending measures to pro- 
tect the key resources and critical infrastructure of the United States in coordina- 
tion with other federal agencies and in cooperation with state and local government 
agencies and authorities, the private-sector, and other entities. 



53 


National Strategies Establish Information-Sharing Initiatives 

The National Strategy for Homeland Security identifies information sharing and 
systems as one foundation for evaluating homeland security investments across the 
federal government. It also identifies initiatives to enable critical infrastructure in- 
formation sharing and to integrate sharing across state and local government, pri- 
vate industry, and citizens. Consistent with the original intent of PDD 63, the Na- 
tional Strategy for Homeland Security states that, in many cases, sufficient incen- 
tives exist in the private market for addressing the problems of CIP. However, the 
strategy also discusses the need to use all available policy tools to protect the 
health, safety, or well-being of the American people. It mentions federal grant pro- 
grams to assist state and local efforts, legislation to create incentives for the private 
sector, and, in some cases, regulation. 

The National Strategy to Secure Cyberspace provides an initial framework for both 
organizing and prioritizing efforts to protect our nation’s cyberspace. It also provides 
direction to federal departments and agencies that have roles in cyberspace security 
and identifies steps that state and local governments, private companies and organi- 
zations, and individual Americans can take to improve our collective cybersecurity. 
The strategy warns that the nation’s private-sector networks are increasingly tar- 
geted and will likely be the first organizations to detect attacks with potential na- 
tional significance. According to the cyberspace strategy, ISACs, which possess 
unique operational insight into their industries’ core functions and will help provide 
the necessary analysis to support national efforts, are expected to play an increas- 
ingly important role in the National Cyberspace Security Response System 2 and the 
overall missions of homeland security. In addition, the cyberspace strategy identifies 
DHS as the central coordinator for cyberspace efforts and requires it to work closely 
with the ISACs to ensure that they receive timely and threat and vulnerability data 
that can be acted on and to coordinate voluntary contingency planning efforts. The 
strategy reemphasizes that the federal government encourages the private-sector to 
continue to establish ISACs and, further, to enhance the analytical capabilities of 
existing ISACs. Moreover, the strategy stresses the need to improve and enhance 
public-private information sharing about cyber attacks, threats, and vulnerabilities 
and to encourage broader information sharing on cybersecurity among nongovern- 
mental organizations with significant computing resources. The National Strategy to 
Secure Cyberspace also states that the market is to provide the majorimpetus to im- 
prove cybersecurity and that regulation will not become a primary means of secur- 
ing cyberspace. 

The National Strategy for the Physical Protection of Critical infrastructures and 
Key Assets provides a statement of national policy to remain committed to protecting 
critical infrastructures and key assets from physical attacks. It outlines three key 
objectives to focus the national protection effort: (1) identifying and assuring the 
protection of the most critical assets, systems, and functions; (2) assuring the protec- 
tion of infrastructures that face an imminent threat; and (3) pursuing collaborative 
measures and initiatives to assure the protection of other potential targets. The Na- 
tional Strategy for the Physical Protection of Critical Infrastructures and Key Assets 
also states that further government leadership and intense collaboration between 
public — and private-sector stakeholders is needed to create a more effective and effi- 
cient information-sharing process to enable our core protective missions. Some of the 
specific initiatives include 

• defining protection-related information requirements and establishing effec- 
tive, efficient information-sharing processes; 

• promoting the development and operation of critical sector ISACs, including 
developing advanced analytical capabilities; 

• improving processes for domestic threat data collection, analysis, and dissemi- 
nation to state and local governments and private industry; and 

• completing implementation of the Homeland Security Advisory System. 

The National Strategy for the Protection of Critical Infrastructures and Key Assets 
reiterates that additional regulatory directives and mandates should only be nec- 
essary in instances where the market forces are insufficient to prompt the necessary 
investments to protect critical infrastructures and key assets. 

Current Federal Agency CIP Responsibilities 


2 The National Cyberspace Security Response System is a public-private architecture, coordi- 
nated by the Department of Homeland Security, for analyzing and warning; managing incidents 
of national significance; promoting continuity in government systems and private sector infra- 
structures; and increasing information sharing across and between organizations to improve 
cyberspace security. It includes governmental entities and nongovernmental entities, such as 
private-sector ISACs. 
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In December 2003, the President issued HSPD-7, which established a national 
policy for federal departments and agencies to identify and prioritize critical infra- 
structure and key resources and to protect them from terrorist attack. It superseded 
PDD 63. HSPD-7 defines responsibilities for DHS, lead federal agencies, or sector- 
specific agencies that are responsible for addressing specific critical infrastructure 
sectors, and other departments and agencies. It instructs federal departments and 
agencies to identify, prioritize, and coordinate the protection of critical infrastruc- 
ture to prevent, deter, and mitigate the effects of attacks. 

The Secretary of Homeland Security is assigned several responsibilities, including 

• coordinating the national effort to enhance critical infrastructure protection; 

• identifying, prioritizing, and coordinating the protection of critical infrastruc- 
ture, emphasizing protection against catastrophic health effects or mass casual- 
ties; 

• establishing uniform policies, approaches, guidelines, and methodologies for 
integrating federal infrastructure protection and risk management activities 
within and across sectors; and 

• serving as the focal point for cyberspace security activities, including analysis, 
warning, information sharing, vulnerability reduction, mitigation, and recovery 
efforts for critical infrastructure information systems. 

To ensure the coverage of critical sectors, HSPD-7 designated sector specific agen- 
cies, formerly referred to as lead agencies, for the critical infrastructure sectors 
identified in the National Strategy for Homeland Security (see table 1). These agen- 
cies are responsible for infrastructure protection activities in their assigned sectors, 
which include 

• coordinating and collaborating with relevant federal agencies, state and local 
governments, and the private-sector to carry out their responsibilities; 

• conducting or facilitating vulnerability assessments of the sector; 

• encouraging the use of risk management strategies to protect against and 
mitigate the effects of attacks against the critical infrastructure. 

• identifying, prioritizing, and coordinating the protection of critical infrastruc- 
ture; 

• facilitating the sharing of information about physical and cyber threats, 
vulnerabilities, incidents, potential protective measures, and best practices; and 

• reporting to DHS on an annual basis on their activities to meet these respon- 
sibilities. 

Further, the sector-specific agencies are to continue to encourage the development 
of information-sharing and analysis mechanisms and to support sector-coordinating 
mechanisms. HSPD-7 does not suggest any specific ISAC activities. 

Table 1: Critical Infrastructure Sectors Identified by the National Strategy for Homeland 


Security and HSPD-7 

Sector 

Description 

Sector-specific agency 

Agriculture 

Provides for the fundamental need for food. The infra- 
structure includes supply chains for feed and crop 
production. 

Department of Agriculture 

Banking and Finance 

Provides the financial infrastructure of the nation. This 
sector consists of commercial banks, insurance 
companies, mutual funds, government sponsored 
enterprises, pension funds, and other financial in- 
stitutions that carry out transactions including 
clearing and settlement. 

Department of the Treasury 

Chemicals and haz- 
ardous materials 

Transforms natural raw materials into commonly used 
products benefiting Department of Homeland soci- 
ety’s health, safety, and productivity. The chemical 
industry Security represents a $450 billion enter- 
prise and produces more than 70,000 products that 
are essential to automobiles, pharmaceuticals, food 
supply, electronics, water treatment, health, con- 
struction and other necessities. 

Department of Homeland Security 
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Table 1: Critical Infrastructure Sectors Identified by the National Strategy for Homeland 
Security and HSPD-7 — Continued 


Sector 

Description 

Sector-specific agency 

Defense industrial base 

Supplies the military with the means to protect the 
nation by producing weapons, aircraft, and ships 
and providing essential services, including informa- 
tion technology and supply and maintenance. 

Department of Defense 

Emergency services 

Saves lives and property from accidents and disaster. 
This sector includes fire, rescue, emergency medical 
services, and law enforcement organizations. 

Department of Homeland Security 

Energy 

Provides the electric power used by all sectors, includ- 
ing critical infrastructures, and the refining, stor- 
age, and distribution of oil and gas. The sector is 
divided into electricity and oil and natural gas. 

Department of Energy 

Food 

Carries out the post-harvesting of the food supply, in- 
cluding processing and retail sales. 

Department of Agriculture and 
Department of Health and Human 
Services 

Government 

Ensures national security and freedom and administers 
key public functions. 

Department of Homeland Security 

Information technology 
and telecommuni- 
cations 

Provides communications and processes to meet the 
needs of businesses and government. 

Department of Homeland Security 

Postal and shipping 

Delivers private and commercial letters, packages, and 
bulk assets. The U.S. Postal Service and other car- 
riers provide the services of this sector. 

Department of Homeland Security 

Public Health and 
Healthcare 

Mitigates the risk of disasters and attacks and also 
provides recovery assistance if an attack occurs. 
The sector consists of health departments, clinics, 
and hospitals. 

Department of Health and Human 
Services 

Transportation 

Enables movement of people and assets that are vital 
to our economy, mobility, and security with the use 
of aviation, ships, rail, pipelines, highways, trucks, 
buses, and mass transit. 

Department of Homeland Security 

Drinking water and water 
treatment systems 

Sanitizes the water supply with the use of about 
170,000 public water systems. These systems de- 
pend on reservoirs, dams, wells, treatment facilities, 
pumping stations, and transmission lines. 

Environmental Protection Agency 


Source: GAO analysis based on the President’s National Strategy documents and HSPD— 7. 

In January, the President issued HSPD-9, which established a national policy 
to defend the agriculture and food system against terrorist attacks, major disas- 
ters, and other emergencies. HSPD-9 defines responsibilities for DHS, lead fed- 
eral agencies, or sector-specific agencies, responsible for addressing specific crit- 
ical infrastructure sectors, and other departments and agencies. It instructs fed- 
eral departments and agencies to protect the agriculture and food system from 
terrorist attacks, major disasters, and other emergencies by 

• identifying and prioritizing sector-critical infrastructure and key re- 
sources for establishing protection requirements; 

• developing awareness and early warning capabilities to recognize threats; 

• mitigating vulnerabilities at critical production and processing nodes; 

• enhancing screening procedures for domestic and imported products; and 
In addition, the Secretary of Homeland Security, in coordination with the 
Secretaries of Agriculture, Health and Human Services, and other appro- 
priate federal department and agencies, are assigned responsibilities in- 
cluding: 
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• expanding and continuing vulnerability assessments of the agriculture 
and food sectors; and 

• working with appropriate private-sector entities to establish an effective 
information-sharing and analysis mechanism for agriculture and food. 

• enhancing response and recovery procedures. 

Prior GAO Recommendations 

We have made numerous recommendations over the last several years related to 
information-sharing functions that have been transferred to DHS. One significant 
area of our work concerns the federal government’s CIP efforts, which is focused on 
sharing information on incidents, threats, and vulnerabilities and providing warn- 
ings related to critical infrastructures both within the federal government and be- 
tween the federal government and state and local governments and the private sec- 
tor. Although improvements have been made in protecting our nation’s critical infra- 
structures and continuing efforts are in progress, further efforts are needed to ad- 
dress the following critical CIP challenges that we have identified: 

• developing a comprehensive and coordinated national plan to facilitate CIP 
information sharing, which clearly delineates the roles and responsibilities of 
federal and nonfederal CIP entities, defines interim objectives and milestones, 
sets timeframes for achieving objectives, and establishes performance measures; 

• developing fully productive information-sharing relationships within the fed- 
eral government and between the federal government and state and local gov- 
ernments and the private-sector; 

• improving the federal government’s capabilities to analyze incident, threat, 
and vulnerability information obtained from numerous sources and share appro- 
priate timely, useful warnings and other information concerning both cyber and 
physical threats to federal entities, state and local governments, and the pri- 
vate-sector; and 

• providing appropriate incentives for nonfederal entities to increase informa- 
tion sharing with the federal government. 

ISAC Structures and Operations Reflect Sector Needs and Evolving Goals 

PDD 63 encouraged the voluntary creation of ISACs and suggested some possible 
activities, as discussed earlier; however, their actual design and functions were left 
to the private-sector, along with their relationship with the federal government. 
HSPD-7 continues to encourage the development of information-sharing mecha- 
nisms and does not suggest specific ISAC activities. As a result, the ISACs have 
been designed to perform their missions based on the unique characteristics and 
needs of their individual sectors and, although their overall missions are similar, 
they have different characteristics. They were created to provide an information- 
sharing and analysis capability for members of their respective infrastructure sec- 
tors to support efforts to mitigate risk and provide effective response to adverse 
events, including cyber, physical, and natural events. In addition, the ISACs have 
taken several steps to improve their capabilities and the services they provide to 
their respective sectors. 

Management and Operational Structures Vary, But Provide Similar Basic 
Capabilities 

The ISACs have developed diverse management structures and operations to meet 
the requirements of their respective critical infrastructure sectors. To fulfill their 
missions, they have been established using various business models, diverse funding 
mechanisms, and multiple communication methods. 

Business model — ISACs use different business models to accomplish their mis- 
sions. Most are managed or operated as private entities, including the Financial 
Services, Chemical, Electricity Sector, Food, Information Technology, Public Transit, 
Real Estate, Surface Transportation, Highway, and Water ISACs. Many are estab- 
lished as part of an association that represents a segment of or an entire critical 
infrastructure sector. For example, the Association of Metropolitan Water Authori- 
ties manages the contract for the Water ISAC and the American Chemistry Council 
manages and operates the Chemical ISAC through its CHEMTRAC. 3 In addition, 
the North American Electric Reliability Council (NERC), 4 a nonprofit corporation 


3 The American Chemistry Council represents the leading companies engaged in the business 
of chemistry. CHEMTREC® (Chemical Transportation Emergency Center) is the American 
Chemistry Council’s 24-hour emergency communications center. It was established in 1971 to 
provide emergency responders technical assistance in safely mitigating a distribution incident. 

4 The North American Electric Reliability Council’s (NERC) membership includes small and 
large electric utilities, regional utility companies, power marketers, and other entities respon- 
sible for power generation, transmission, control, and marketing and distribution in the United 
States, Canada, and a portion of Mexico. 
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that promotes electric system reliability and security, operates the Electricity Sector 
ISAC using internal expertise. 

The legal structure of ISACs continues to evolve. The Financial Services ISAC has 
evolved from a limited liability corporation in 1999 to a 501(c)6 non-stock corpora- 
tion and is managed by a board of directors that is comprised of representatives 
from the Financial Services ISAC’s members. According to the Financial Services 
ISAC Board, the change to be a 501(c)6 non-stock corporation, as mentioned above, 
was made to simplify the membership agreement and to make the process for ob- 
taining public funding easier. The Energy ISAC also changed from a limited liability 
corporation to a 501(c)3 nonprofit charitable organization to eliminate membership 
barriers. 

Also, government agencies have partnered with the private-sector to operate cer- 
tain ISACs. For example, DHS’s National Communications Systems/ National Co- 
ordinating Center (NCC) for Telecommunications sponsors the Telecommunications 
ISAC, which is a government/industry operational and collaborative body. 5 DHS 
provides for the Telecommunications ISAC facilities, tools and systems, the NCC 
manager, and the 24x7 watch operations staff. The private-sector provides rep- 
resentatives who have access to key corporate personnel and other resources. In ad- 
dition, DHS’s United States Fire Administration operates the Emergency Manage- 
ment and Response ISAC. New York State, through its Office of Cyber Security and 
Critical Infrastructure Coordination, is coordinating efforts of the Multi-state ISAC. 
The New York State Office of Cyber Security and Critical Infrastructure Coordina- 
tion is currently studying best practices and lessons learned to assist in developing 
a structure that will include representation by member states. 

Six of the ISACs included in our study use contractors to perform their day-to- 
day operations. According to an Association of Metropolitan Water Agencies 
(AMWA) official, they chose a contractor to operate the Water ISAC because the 
contractor had the appropriate expertise. In addition, the contractor’s personnel had 
government clearances and the ability to operate a secure communication system 
and facility. In addition, ISACs use contractors to supplement their operations. For 
example, a formal contract provides for the daily staffing and performance of the 
Emergency Management and Response ISAC’s tasks. It chose this model because of 
federal requirements and the shortage of positions for federal full-time employees 
at the United States Fire Administration. The Telecommunications ISAC contracted 
for analysts to operate the 24 x 7 watch operations under the management of a gov- 
ernment official. 

ISACs also differ in the nature of the hazards that they consider: cyber, physical, 
or all hazards (including natural events such as hurricanes). For example, during 
events of the power outage in August 2003 and Hurricane Isabel in September 2003, 
the Financial Services ISAC was contacted by DHS to determine the Banking and 
Finance sector’s preparedness and the impact of those events. However, the Multi- 
state ISAC will remain focused on cyber threats because other state organizations 
are in place to address physical and natural disaster events. 

Funding — ISACs fund their activities using a variety of methods — fees-for-serv- 
ice, association sponsorship, federal grants, and voluntary, or inkind, operations by 
existing participants. For example, the Financial Services, Information Technology, 
and Water ISACs use a tiered fee-for-service model for members. This model estab- 
lishes different tiers of membership based on the level of service provided. These 
tiers typically include some basic level of service that is provided at minimal or no 
cost to the member and additional tiers that provide — for a fee — more personalized 
service and access to additional resources. To help ensure that cost is not a deter- 
rent to membership and that the ISAC’s coverage of its sector is extensive, the Fi- 
nancial Services ISAC recently, as part of its next-generation ISAC effort, shifted 
to a tiered fee-for-service approach. It offers five levels of service that vary in cost — 
Basic (no charge), Core ($750 per year), Premier ($10,000 per year), Gold ($25,000 
per year), and Platinum ($50,000) — for ascending levels of information and analyt- 
ical capabilities. In addition, there is a partner-level license agreement for select in- 
dustry associations ($10,000) for distribution to eligible association members of Ur- 
gent and Crisis Alerts. For example, the Information Technology ISAC recently 
started to work on a tiered basis with fees set annually at $40,000; $25,000; $5,000; 


5 The National Coordinating Center for Telecommunications is open to companies that provide 
telecommunications or network services, equipment, or software to the communications and in- 
formation sector; select, competitive local exchange carriers; Internet service providers; vendors; 
software providers; telecommunications professional organizations and associations; or compa- 
nies with participation or presence in the communications and information sector. Membership 
is also allowed for National Coordinating Center member federal departments and agencies, and 
for national security/emergency preparedness users. 
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$1,000; and free. The Water ISAC also uses a tiered approach, with membership 
fees ranging from $7,500 to $750 annually. The Surface Transportation ISAC as- 
sesses an annual fee from its Class I railroad members of approximately $7,500. 

Some industry associations that operate ISACs fund them from budgets. For ex- 
ample, the North American Electric Reliability Council (NERC) funds the Electricity 
Sector ISAC, and the American Trucking Association funds the Highway ISAC from 
their budgets. The American Chemistry Council fully funds the Chemical ISAC 
through the previously existing Chemical Transportation Emergency Center, known 
as CHEMTRAC. The ten trade associations that are members of it fund the Real 
Estate ISAC. 

In addition, some ISACs receive funding from the federal government for such 
purposes as helping to start operations, funding memberships, and providing ex- 
panded capabilities. Examples include the following: 

• The Public Transit ISAC initially received a $1.2 million grant from the Fed- 
eral Transit Administration (FTA) to begin operations. Members pay no an an- 
nual fee and there are no membership requirements from the association that 
started the ISAC — the American Public Transportation Association. 

• For FY 2004, the Water ISAC received a $2 million grant from EPA to cover 
annual operating costs, including the expansion of memberships to smaller utili- 
ties. 

• The Financial Services ISAC received $2 million dollars from the Department 
of the Treasury to enhance its capabilities, including technology to broaden 
membership service. 

• The Highway ISAC received initial funding from DHS’s Transportation Secu- 
rity Administration (TSA) to start the ISAC. 

• The Energy ISAC received federal grants to assist entities within its separate 
sectors to be members. 

• DHS provides funding for the operation of the Telecommunications ISAC that 
is combined with in-kind services provided by the corporate participants. DHS 
also fully operates the Emergency Management and Response ISAC. 

States also provide funding for ISACs. For example, the Multi-state ISAC is fund- 
ed by and functions as part of the New York State Cyber Security Analysis Center. 
In addition, the Research and Education Network ISAC is supported by Indiana 
University. 

Sharing mechanisms — ISACs use various methods to share information with 
their members, other ISACs, and the federal government. For example, they gen- 
erally provide their members access to electronic information via e-mail and Web 
sites. For example, the Chemical ISAC members receive e-mail alerts and warnings 
in addition to the information that is posted to the ISAC’s Web site. The Highway 
ISAC provides members on its Web site with links to IT resources. 

Some ISACs also provide secure members-only access to information on their Web 
sites. For example, the Financial Services ISAC’s Web site offers multiple capabili- 
ties for members at the premier level and above, including, among other things, ac- 
cess news, white papers, best practices, and contacts. The Energy ISAC offers its 
members access to a secure Web site. 

In addition, some ISACs hold conference calls for their members. For example, the 
Chemical ISAC holds biweekly conference calls with DHS. The Financial Services 
ISAC also conducts threat intelligence conference calls every two weeks for premier 
members and above with input from Science Applications International Corporation 
(SAIC) and DHS. These calls discuss physical and cyber threats, vulnerabilities and 
incidents that have occurred during the previous two weeks, and they provide sug- 
gestions on what may be coming. The Financial Services ISAC is capable of orga- 
nizing crisis conference calls within an hour of the notification of a Crisis Alert, and 
it hosts regular bi-weekly threat conference calls for remediation of vulnerabilities 
(viruses, patches). 

ISACs also use other methods to communicate. For example, they may use pagers, 
phone calls, and faxes to disseminate information. In addition, the Telecommuni- 
cations ISAC uses the Critical Infrastructure Warning Information Network 
(CWIN). 6 The Financial Services ISAC also sponsors twice yearly members’ only 
conferences to learn and share information. 

ISAC Coverage and Participation Varies 

According to the ISAC Council, its membership possesses an outreach and 
connectivity capability to approximately 65 percent of the U.S. private critical infra- 


6 CWIN provides connectivity and 24x7 alert and notification capability to government and in- 
dustry participants. It is engineered to provide a reliable and survivable network capability, and 
it has no logical dependency on the Internet or the Public Switched Network. 
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structure. However, the ISACs use various matrices to define their respective sec- 
tors’ participation in their activities. For example, the Banking and Finance sector 
has estimated that there are more than 25,000 financial services firms in the United 
States. Of those, according to the Financial Services ISAC Board, roughly 33 percent 
receive Urgent and Crisis Alerts through license agreements with sector associa- 
tions — accounting for the vast majority of total commercial bank assets, the majority 
of assets under management, and the majority of securities/ investment bank trans- 
actions that are handled by the sector, but less than half the sector’s insurance as- 
sets. According to an American Public Transportation Association official, the Public 
Transit ISAC covers a little less than 5 percent of the public transit agencies; how- 
ever, those agencies handle about 60 to 70 percent of the total public transit rider- 
ship. Further, according to NERC officials, virtually all members of NERC are mem- 
bers of the Electricity Sector ISAC. As for the Energy ISAC, officials stated that its 
80-plus members represent approximately 85 percent of the energy industry. Mem- 
bership in the Information Technology ISAC also represents 85 to 90 percent of the 
industry, including assets of Internet equipment hardware, software, and security 
providers. For other ISACs, such as Chemical and Real Estate, officials stated that 
it is difficult to determine the percentage of the sector that is included. 

Table 2 provides a summary of the characteristics of the ISACs that we included 
in our review. In addition to these ISACs, the Healthcare sector is continuing to or- 
ganize, including efforts to establish an ISAC. According to DHS officials, the Emer- 
gency Law Enforcement ISAC that was formally operated by the NIPC and trans- 
ferred to IAIP is not currently staffed and will be considered in current efforts to 
organize the Emergency Services sector. 
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Sector Coordinator Roles Differ 

As discussed earlier, federal CIP policy establishes the position of sector coordi- 
nator for identified critical infrastructure sectors to initiate and build cooperative 
relationships across an entire infrastructure sector. In most cases, sector coordina- 
tors have played an important role in the development of their respective infrastruc- 
ture sectors’ ISACs. In many cases the sector coordinator also manages or operates 
the ISAC. 

• The North American Electric Reliability Council, as sector coordinator for the 
electricity segment of the energy sector, operates the Electricity Sector ISAC. 

• The Association of American Railroads, as a sector coordinator for the trans- 
portation sector, manages the Surface Transportation ISAC. 

• The Association of Metropolitan Water Agencies, as the sector coordinator for 
the water and wastewater sector, manages the Water ISAC 

In addition, regarding the telecommunications ISAC, sector coordinators partici- 
pate as members of the ISAC. For example, the Cellular Telecommunications and 
Internet Association, the United States Telecom Association, and the Telecommuni- 
cations Industry Association are ah members of the NCC, which operates the tele- 
communications ISAC. In the case of the Financial Services ISAC, no formal rela- 
tionship exists between the Banking and Finance Sector Coordinator, the Financial 
Services Sector Coordinating Council, and the ISAC; however, according to Finan- 
cial Services ISAC officials, there is a good relationship between them. 

Other ISACs were created and are operated without a formal sector coordinator 
in place, including the Chemical, Emergency Management and Response, and Food 
ISACs. 

Council Established to Improve ISACs’ Efficiency and Effectiveness 

Eleven ISACs created an ISAC Council to work on various operational, process, 
and other common issues to effectively analyze and disseminate information and, 
where possible, to leverage the work of the entire ISAC community. The ISACs initi- 
ated this effort without federal sponsorship. Currently, the participating ISACs in- 
clude Chemical, Electricity, Energy, Financial Services, Information Technology, 
Public Transit, Surface Transportation, Telecommunications, Highway, and Water. 
In addition, the Multi-state and Research and Education Networks ISACs are par- 
ticipants. 

In February 2004, the council issued eight white papers to reflect the collective 
analysis of its members and to cover a broad set of issues and challenges, including 

• Government/Private-sector Relations. Explains the need for DHS to clar- 
ify its expectations and to develop roles and responsibilities for the ISACs. 

• HSPD-7 Issues and Metrics. Describes specific issues related to the pri- 
vate-sector that DHS should address when responding to HSPD-7. 

• Information Sharing and Analysis. Identifies future goals that the ISACs 
may want to work on achieving, including developing an implementation plan. 

• Integration of ISACs into Exercises. Discusses the importance of the 
ISACs and the private infrastructure sectors being involved in government exer- 
cises that demonstrate responses to possible incidents. 

• ISAC Analytical Efforts. Describes the various levels of capabilities that in- 
dividual ISACs may want to consider supporting, including cyber and physical 
analysis. 

• Policy and Framework for the ISAC Community. Identifies common pol- 
icy areas that need to be addressed to provide effective, efficient, and scalable 
information sharing among ISACs and between ISACs and the federal govern- 
ment. 

• Reach of Major ISACs. Describes and identifies the degree of outreach that 
the ISACs have achieved into the U.S. economy. As of September 2003, the 
ISAC Council estimated that the ISACs had reached approximately 65 percent 
of the critical infrastructures they represent. 

• Vetting and Trust. Discusses the processes for sharing information and the 
need to develop trust relationships among individual ISAC members and among 
the various ISACs. 

Federal Efforts to and Interaction with the ISACs Continue 

As outlined in HSPD-7 and presented in table 1, DHS and other federal agencies 
are designated as sector-specific agencies for the critical Establish Cooperation in- 
frastructure sectors identified. In addition, DHS is responsible for coordinating the 
overall national effort to enhance the protection of the critical infrastructure and 
key resources of the United States and has established organizational structures to 
address its CIP and information-sharing responsibilities. DHS and the sector-spe- 
cific agencies have undertaken a number of efforts to address the public/private 
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partnership that is called for by federal CIP policy, and they continue to work on 
their cooperation and interaction with the ISACs and with each other. 

DHS Actions to Improve Information-sharing Relationships 

The functions DHS provides to each ISAC differ, and its coordination and levels 
of participation vary for each sector-specific agency. However, the department has 
undertaken a number of efforts with the ISACs and sector specific agencies to im- 
plement the public/private partnership called for by federal CIP policy. 

DHS has established functions within the department to support the ISACs and 
other CIP efforts. IAIP, as the DHS component directly responsible for CIP activi- 
ties, carries out many of these functions. The Infrastructure Coordination Division 
within IAIP plays a key role in coordinating with the ISACs concerning information 
sharing. Nonetheless, ISACs may interact with multiple components of the depart- 
ment. For example, the ISACs may discuss cyber issues with the National Cyber 
Security Division. According to a DHS official, the department does not intend to 
establish a single point of contact for ISACs within the department. Rather, the de- 
partment plans to develop policies and procedures to ensure effective coordination 
and sharing of ISAC contact information among the appropriate DHS components. 
In addition, the Infrastructure Coordination Division is in the process of staffing an- 
alysts who are responsible for working with each critical infrastructure sector. The 
analysts would serve as the primary point of contact for the sectors and would ad- 
dress information sharing, coordination, information protection, and other issues 
raised by the sectors. 

Further, according to DHS officials, TSA, within the department’s Border and 
Transportation Security Directorate, is working with organizations in the private 
sector to establish information-sharing relationships. For example, Surface Trans- 
portation ISAC analysts stated that they have a good working relationship with 
TSA, and TSA’s Operations Center has office space designated for them. 

In addition, other DHS actions include the following: 

• Last summer, DHS, the Department of Agriculture (USDA), and the Depart- 
ment of Health and Human Services’ (HHS) Food and Drug Administration 
(FDA) initiated efforts to organize the agriculture and food critical infrastruc- 
ture sectors to raise awareness and improve security efforts. An introductory 
conference was held with about 100 leading sector corporations and associations 
to make the business case for participating in CIP efforts, including the impor- 
tance of enhancing security and sharing information within the sectors. 

• In December, DHS hosted a 2-day CIP retreat with ISAC representatives, sec- 
tor coordinators, and high-level DHS and White House Homeland Security 
Council officials. Participants discussed the needs, roles, and responsibilities of 
public — and private-sector entities related to information sharing and analysis, 
incident coordination and response activities, critical infrastructure information 
requests, and level of DHS funding. During this retreat, DHS participated in 
the first meeting of the Operational Clarity and Improvement Task Group, 
which was formed by the ISAC Council and sector coordinators to address the 
need for a common conceptual framework and to clarify current and future ef- 
forts to protect the nation’s critical infrastructure. 

• In January, DHS’s IAIP Directorate held a 2-day conference to describe the 
information it is analyzing and the use of that information in the partnership 
with the private sector to discuss information sharing between the federal gov- 
ernment and the private sector. 

• In February, the department established the Protected Critical Infrastructure 
Information (PCII) Program, which enables the private sector to voluntarily 
submit infrastructure information to the government. DHS’s IAIP Directorate is 
responsible for receiving submissions, determining if the information qualifies 
for protection and, if it is validated, sharing it with authorized entities for use 
as specified in the Critical Infrastructure Information Act of 2002. 

In addition to the efforts listed above, DHS officials stated that they provide fund- 
ing to some of the ISACs. For example, DHS has agreed to fund tabletop exercises 
for the Financial Services, Telecommunications, and Electricity Sector ISACs. DHS 
anticipates that the tabletop exercises will be completed by August 2004. Also, DHS 
expects to fund a cross-sector tabletop exercise. According to the Financial Services 
ISAC, funding for their tabletop exercise is $250,000. 

Another effort that DHS has undertaken is to maintain regular contact with the 
ISACs. For example, a DHS analyst specializing in the chemical sector stated that 
the Chemical ISAC is in daily contact with DHS and that it participates in DHS- 
sponsored biweekly threat meetings. The department also conducts weekly con- 
ference calls with several ISACs, other DHS components, and private-sector organi- 
zations to discuss threats and viruses. 
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Sector-specific Agencies Have Taken Action to Assist the ISACs 

HSPD-7 designates federal departments and agencies to be sector-specific agen- 
cies. These federal agencies, among other things, are to collaborate with the private 
sector and continue to encourage the development of information-sharing and anal- 
ysis mechanisms. In addition, sector-specific agencies are to facilitate the sharing 
of information about physical and cyber threats, vulnerabilities, incidents, potential 
protective measures, and best practices. Another directive, HSPD-9, establishes a 
national policy to defend the agriculture and food system against terrorist attacks, 
major disasters, and other emergencies. Some sector-specific agencies have taken 
steps to help the ISACs to increase their memberships and breadth of impact within 
their respective sectors and to improve their analytical and communications capa- 
bilities. 

• Environmental Protection Agency (EPA). As noted earlier, EPA is the 

sector-specific agency for the water sector. According to EPA officials, its Office 
of Water (Water Security Division), which has been designated as the lead for 
drinking water and wastewater CIP efforts, is currently revising EPA’s Office 
of Homeland Security’s Strategic Plan. In addition, the division is working on 
a General Strategic Plan, to identify measurable goals and objectives and deter- 
mine how the division will accomplish that work. Further, these officials stated 
that for fiscal year 2004, EPA issued a $2 million grant to the Water ISAC to 
enhance its capabilities, for example, to fund 24x7 operations and to increase 
and support ISAC membership. They also stated that EPA issued $50 million 
in grants to assist the largest drinking water utilities in conducting vulner- 
ability assessments. There are also state grants to build communications net- 
works for disseminating information, particularly to smaller utility companies. 
EPA’s Water Security Division also makes publicly available various resources 
related to water security including, among other things, emergency response 
guidelines, risk assessment and vulnerability assessment methodologies, and a 
security product guide. The division has also developed a “Vulnerability Assess- 
ment Factsheet” that gives utility companies additional guidance on vulner- 
ability assessments. Moreover, the Water Security Division holds biweekly con- 
ference calls with water associations to promote communications between EPA 
and the private sector, and it provides EPA publications and other information 
to the Water ISAC through e-mail distribution lists. In addition, the division 
has 10 regional offices that work with the states. 

• Department of the Treasury (Treasury). As the sector-specific agency for 
the Banking and Finance sector, Treasury’s Office of CIP and Compliance Policy 
is responsible for CIP-related efforts. It has developed policy for its role as a 
sector-specific agency. The policy includes steps to identify vulnerabilities with 
the assistance of the institutions, identify actions for remediation, and evaluate 
progress in reducing vulnerabilities. A major effort by Treasury was having con- 
sultants work with the Financial Services ISAC’s board of directors to evaluate 
ways to improve the overall reach and operations of the ISAC. According to 
Treasury officials, this effort, in part, led to a $2 million grant from Treasury 
to the ISAC for developing the “next generation” Financial Services ISAC. The 
one-time grant was earmarked for enhancing the ISAC’s capabilities. Regarding 
interaction with the Financial Services ISAC, Treasury informally shares high- 
level threat and incident information with the sector through the ISAC. The de- 
partment also chairs the Financial and Banking Information Infrastructure 
Committee (FBIIC), a group of regulators who coordinate regulatory efforts to 
improve the reliability and security of financial systems. This group has done 
a number of things to raise awareness and improve the reliability of the institu- 
tions. For example, under the sponsorship of the Federal Deposit Insurance Cor- 
poration, there are regional outreach briefings that address why the private sec- 
tor needs to partner with the federal government to improve its security. More- 
over, FBIIC has sponsored the 3,600 priority telecommunications circuits for fi- 
nancial institutions under the National Communications System’s Tele- 
communications Service Priority and Government Emergency Telecommuni- 
cations Service programs. 

• Department of Energy (DOE). As the sector-specific agency for the Energy 
and Electricity sectors, DOE’s Office of Energy Assurance is responsible for ful- 
filling the roles of critical infrastructure identification, prioritization, and pro- 
tection for the energy sector, which includes the production, refining, and dis- 
tribution of oil and gas, and electric power — except for commercial nuclear 
power facilities. However, DOE does not address situational threats such as 
natural disasters or power outages with its ISACs because, in part, the ISACs 
are determining whether it is their role to address these types of threats. Infor- 
mation sharing with the ISACs is an informal process, and no written policy 
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exists. For example, DOE is collecting threat information related to hackers and 
computer security, but the department is not disseminating it to the ISACs or 
to private industry. The Office of Energy Assurance hopes to clarify and expand 
on this subject in its International Program Plan, which is currently in draft 
form. 

• Department of Health and Human Services (HHS). As mentioned ear- 
lier, HHS is the sector-specific agency for the public health and healthcare sec- 
tor, and it shares that role with USDA for the food sector. Currently, there is 
no ISAC for the healthcare sector. Efforts to organize the healthcare sector have 
been ongoing. In July 2002, HHS officials and other government and industry 
participants were invited to the White House conference center to discuss how 
they wanted to organize the sector. A Healthcare Sector Coordinating Council 
(HSCC) was formed, and HHS requested that MITRE, its contractor, lend tech- 
nical support to the new group as it continues to organize the sector and estab- 
lish an ISAC. In addition, HHS officials stated that the department provided 
$500,000 for ISAC efforts in fiscal year 2003 and budgeted $1 million for fiscal 
year 2004. HHS officials stated that the department would likely be agreeable 
to continuing to provide funding for an ISAC. They also stated that an ISAC 
could be operational within the next year. In the meantime, HHS is sharing in- 
formation with the industry through an e-Community group that MITRE has 
set up on a secure Web site. 

Agriculture and Food were only recently designated as critical infrastructure sec- 
tors and, as with the healthcare sector, efforts to organize the sectors are in the be- 
ginning stages. HHS has worked with the Food Marketing Institute-operated Food 
ISAC since it was established, but the department has focused more of its efforts 
on organizing the agriculture and food sectors. As we mentioned earlier, HHS 
helped initiate efforts to organize the sector by holding an introductory conference 
last summer for about 100 leading sector corporations and associations to make the 
business case for participating in CIP efforts. Recently, the department co-hosted a 
meeting with DHS and USDA in which industry participants were asked how they 
wished to organize into an infrastructure sector, including addressing the existence 
and expansion of the current Food ISAC. As a result of this meeting, participants 
agreed to establish a council of about 10-15 private-sector food and agriculture orga- 
nizations to represent the sector. A federal government council will be created to 
interact with the private sector and with state and local governments. The govern- 
ment council will initially include several federal government agencies and state 
and local entities. According to HHS officials, the timeframe for organizing the sec- 
tor and setting up an expanded Food ISAC has not been determined, but officials 
anticipated this occurring by fall of 2004. 

• Department of Agriculture (USDA). As mentioned above, USDA shares 
with HHS the sector-specific agency designation for the food sector. USDA par- 
ticipated in a conference held last summer and a recent meeting with the indus- 
try. In addition to those events, USDA’s Homeland Security Council Working 
Group is involved in enhancing the agriculture sector’s information-sharing and 
analysis efforts, which may include replacing or improving the current Food 
ISAC. Another USDA effort uses training to reach out to the industry and raise 
awareness. For example, USDA is providing training to private-sector veterinar- 
ians and animal hospitals on recognizing possible signs of bioterrorism activity. 

Although no longer a sector-specific agency for the transportation sector, DOT, 
through its Federal Transit Administration, has provided a grant to the Public 
Transportation ISAC to provide for memberships at no cost. 

Challenges to ISAC Establishment and Partnership with the Federal Gov- 
ernment 

Increasing Sector Participation and Reach 

Our discussions with the ISACs and the series of ISAC Council white papers con- 
firmed that a number of challenges remain to the successful establishment and op- 
eration of ISACs and their partnership with DHS and other federal agencies. High- 
lighted below are some of the more significant challenges identified, along with any 
successful ISAC practices and related actions that have been taken or planned by 
DHS or others. 

Many of the ISACs report that they represent significant percentages of their in- 
dustry sectors; at least one — the Electricity ISAC — reports participation approaching 
100 percent. The ISAC Council estimates that the overall ISAC community possess 
an outreach and connectivity capability to reach approximately 65 percent of the 
private critical infrastructure. The Council also recognizes the challenge of increas- 
ing sector participation, particularly to reach smaller entities that need security 
support, but have insufficient resources to actively contribute and pay for such sup- 
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port. Officials in DHS’s IAIP acknowledge the importance of reaching out to critical 
infrastructure entities, and are considering alternatives to address this issue. 

The Financial Services ISAC provides a notable example of efforts to respond to 
this challenge. Specifically, officials for this organization reported that, as of March 
2003, its members represented a large portion of the sector’s assets, but only 0.2 
percent of the number of entities with small financial services firms and insurance 
companies, in particular, were underrepresented. To increase its industry member- 
ship, this organization established its next generation ISAC, which provides dif- 
ferent levels of service — ranging from a free level of basic service to fees for value- 
added services — to help ensure that no entity is excluded because of cost. Further, 
it has set goals of delivering urgent and crisis alerts to 80 percent of the Banking 
and Finance sector by the end of 2004 and to 99 percent of the sector by the end 
of 2005. To help achieve these goals, the Financial Services ISAC has several other 
initiatives under way, including obtaining the commitment of the Financial Services 
Sector Coordinating Council (FSSCC — the sector coordinator and primary marketing 
arm for this ISAC) to drive the marketing campaign to sign up its members for the 
appropriate tier of service; encourage membership through outreach programs spon- 
sored by the Federal Deposit Insurance Corporation and the FSSCC in 24 cities; and 
to work with individual sector regulators to include in their audit checklists whether 
a firm is a member of the ISAC. The Financial Services ISAC believes that its goals 
are attainable and points to its industry coverage, which it says had already in- 
creased to 30 percent in March 2004 — only three months after its new membership 
approach began in December 2003. 

Other issues identified that were related to increasing sector participation and 
reach included the following, 

• Officials at two of the ISACs we contacted considered it important that the 
federal government voice its support for the ISACs as the principal tool for com- 
municating threats. 

• The ISAC Council has suggested that a General Business ISAC may need to 
be established to provide baseline security information to those general busi- 
nesses that are not currently supported by an ISAC. 

• Many of the industries that comprise our nation’s critical infrastructures are 
international in scope. Events that happen to a private infrastructure or public 
sector organization in another country can have a direct effect in the United 
States, just as events here could have effects in other countries. Therefore, an 
ISAC may need to increase its reach to include the reporting and trust of inter- 
national companies and organizations. 

Building Trusted Relationships 

A key element in both establishing an ISAC and developing an effective public/ 
private partnership for CIP is to build trusted relationships and Building Trusted 
Relationships processes. From the ISAC perspective, sharing information requires a 
trusted relationship between the ISAC and its membership, such that companies 
and organizations know their sensitive data is protected from others, including com- 
petitors and regulatory agencies. According to the ISAC Council, the ISACs believe 
that they provide a trusted informationsharing and analysis mechanism for private 
industry in that they manage, scrutinize, establish, and authenticate the identity 
and ensure the security of their membership, as well as ensuring the security of 
their own data and processes. Other steps taken by ISACs to safeguard private com- 
panies’ information, which may help to foster trusted relationships, included sharing 
information with other entities only when given permission to do so by the reporting 
entity and providing other protections, such as distributing sensitive information to 
subscribers through encrypted e-mail and a secure Web portal. 

Building trusted relationships between government agencies and the ISACs is 
also important to facilitating information sharing. In some cases, establishing such 
relationships may be difficult because sector-specific agencies may also have a regu- 
latory role; for example, the Environmental Protection Agency has such a role for 
the Water sector and HHS’ Food and Drug Administration has it for portions of the 
Food and Agriculture sectors. 

Information Sharing Between the Private Sector and Government 

Sharing information between the federal government and the private sector on in- 
cidents, threats, and vulnerabilities continues to be a challenge. As we reported last 
year, much of the reluctance by ISACs to share information has focused on concerns 
over potential government release of that information under the Freedom of Infor- 
mation Act, antitrust issues resulting from information sharing within an industry, 
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and liability for the entity that discloses the information . 8 However, our recent dis- 
cussions with the ISACs — as well as the consensus of the ISAC Council — identified 
additional factors that may affect information sharing by both the ISACs and the 
government. 

The ISACs we contacted all described efforts to work with their sector specific 
agencies, as well as with other federal agencies, ISACs, and organizations. For ex- 
ample, the Public Transit ISAC said that it provides a critical link between the 
transit industry, DOT, TSA, DHS, and other ISACs for critical infrastructures and 
that it collects, analyzes, and distributes cyber and physical threat information from 
a variety of sources, including law enforcement, government operations centers, the 
intelligence community, the U.S. military, academia, IT vendors, the International 
Computer Emergency Response Community, and others. Most ISACs reported that 
they believed they were providing appropriate information to the government but, 
while noting improvements, still had concerns with the information being provided 
to them by DHS and/or their sector specific agencies. These concerns included the 
limited quantity of information and the need for more specific, timely, and action- 
able information. In particular, one ISAC noted that it receives information from 
DHS simultaneously with or even after news reports, and that sometimes the news 
reports provide more details. 

In its recent white papers, the ISAC Council also has identified a number of bar- 
riers to information sharing between the private sector and government. These in- 
cluded the sensitivity of the information (such as law enforcement information), 
legal limits on disclosure (such as Privacy Act limitations on disclosure of personally 
identifiable information), and contractual and business limits on how and when in- 
formation is disclosed (e.g., the Financial Services ISAC does not allow any govern- 
mental or law enforcement access to its database). But the Council also emphasized 
that perhaps the greatest barriers to information sharing stem from practical and 
business considerations in that, although important, the benefits of sharing informa- 
tion are often difficult to discern, while the risks and costs of sharing are direct and 
foreseeable. Thus, to make information sharing real, it is essential to lower the prac- 
tical risks of sharing information through both technical means and policies, and to 
develop internal systems that are capable of supporting operational requirements 
without interfering with core business. Consequently, the technical means used 
must be simple, inexpensive, secure, and easily built into business processes. 

According to the Council, the policy framework must reduce perceived risks and 
build trust among participants. Further, the Council identified three general areas 
that must be addressed in policy for the information-sharing network to assure net- 
work participants that there is good reason to participate and that their information 
will be dealt with appropriately. These areas concern policies related to what infor- 
mation is shared within ISACs, across ISACs, and to and from government; actions 
to be performed at each node in the information-sharing network, including the 
kinds of analysis to be performed; and the protection of shared information and 
analysis in terms of both limitations on disclosure and use and information security 
controls. 

The white papers also described the processes that are believed to be needed to 
ensure that critical infrastructure and/or security information is made available to 
the appropriate people with reasonable assurance that it cannot be used for mali- 
cious purposes or indiscriminately re-distributed so as to become essentially public 
information. These processes and other information-sharing considerations and 
tasks identified by the Council included the following: 

• The ISAC information-sharing process needs to recognize two types of infor- 
mation categories — classified and sensitive but unclassified. However, the ma- 
jority of information sharing must focus on the unclassified “actionable element” 
that points the recipient to a problem and to remediation action. 

• Each ISAC is responsible for initially validating the trust relationship with 
its member organizations and for periodically re-assessing that trust relation- 
ship. The security structure must understand and continually be in dialogue 
with its vetted members and must manage this trusted relationship. 

• Each individual who receives shared information must have a background 
check completed by and at a level of comprehensiveness specified by the spon- 
soring organization. 


8 U.S. General Accounting Office, Critical Infrastructure Protection: Efforts of the Financial 
Services Sector to Address Cyber Threats, GAO— 03-173 (Washington, D.C.: Jan. 30, 2003); and 
Critical Infrastructure Protection: Challenges for Selected Agencies and Industry Sectors, GAO- 
03-233 (Washington, D.C.: Feb. 28, 2003). 
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• Consequences and remediation must be developed and understood to address 
situations in which information is disclosed improperly — either intentionally or 
unintentionally. 

• The government’s data and information requirements for the sectors and the 
sectors’ requirements for the government need to be defined. 

• The government should establish a standing and formal trusted information- 
sharing and analysis process with the ISACs and sector coordinators as the 
trusted nodes for this dissemination. This body should be brought in at the be- 
ginning of any effort, and DHS products should be released to this group for 
primary and priority dissemination to their respective sectors. 

Building this trusted information-sharing and analysis process is also dependent 
on the protections the government provides for the sensitive data shared by ISACs 
and private companies. As discussed earlier, DHS recently issued the interim rule 
for submitting protected critical infrastructure information, which provides restric- 
tions on the use of this information and exempts it from release under the Freedom 
of Information Act. However, it remains to be seen whether these protections will 
encourage greater private-sector trust and information sharing with the federal gov- 
ernment. 

Identifying Roles and Responsibilities 

Federal CIP law and policies, including the Homeland Security Act of 2002, the 
National Strategy to Secure Cyberspace, and HSPD-7, establish CIP responsibilities 
for federal agencies, including DHS and others identified as sector-specific agencies 
for the critical infrastructure sectors. However, the ISACs believe that the roles of 
the various government and private sector entities involved in protecting critical in- 
frastructures must continue to be identified and defined. In particular, officials for 
several ISACs wanted a better definition of the role of DHS with respect to them. 
Further, officials for two ISACs thought other agencies might more appropriately be 
their sector-specific agencies. Specifically, the Energy ISAC would like its sector-spe- 
cific agency to be DHS and not the Department of Energy, which is also the regu- 
latory agency for this sector. On the other hand, the Highway ISAC thought its sec- 
tor-specific agency should be the Department of Transportation — the regulatory 
agency for its sector — and not DHS. 

The ISAC Council also identified the need for DHS to establish the goals of its 
directorates and the relationships of these directorates with the private sector. The 
Council also wants clarification of the roles of other federal agencies, state agencies, 
and other entities — such as the National Infrastructure Assurance Council. 

Obtaining Government 

Ten of the ISACs we contacted, plus the Healthcare sector, emphasized the impor- 
tance of government funding for purposes including creating the ISAC, supporting 
operations, increasing membership, developing metrics, and providing for additional 
capabilities. According to ISAC officials, some have already received federal funding: 
the Public Transit ISAC initially received a $1.2 million grant from the Federal 
Transit Administration to begin operations, and the Water ISAC received a $2 mil- 
lion grant from EPA for fiscal year 2004 to cover annual operating costs and expand 
memberships to smaller utilities. In addition, the Financial Services ISAC received 
$2 million from the Department of the Treasury to help establish its next-generation 
ISAC and its new capabilities, including adding information about physical threats 
to the cyber threat information it disseminates. 

Despite such instances, funding continues to be an issue, even for those that have 
already received government funds. For example, the Healthcare Sector Coordi- 
nating Council, which is the sector coordinator for the healthcare industry, is cur- 
rently looking to the federal government to help fund the creation of a Healthcare 
ISAC. Also, officials at the Public Transit ISAC noted that funding is an ongoing 
issue that is being pursued with DHS. Officials at the Financial Services ISAC, who 
notes that the ISAC’s goal is to become totally self-funded through membership fees 
by 2005, are also seeking additional government funding for other projects. 

The ISAC Council has also suggested that baseline funding is needed to support 
core ISAC functionalities and analytical efforts within each sector. The Council’s 
suggestions include that the government should procure a bulk license for the 
ISACs to receive data directly from some vulnerability and threat sources and ac- 
cess to analytical or modeling tools and that the funding for an ISAC analyst to 
work at DHS to support analysis of sector-specific information or intelligence re- 
quirements. 

According to the Financial Services ISAC, DHS has agreed to fund tabletop exer- 
cises for some ISACs. For example, according to DHS officials, exercises are occur- 
ring this week involving the Banking and Finance sector and exercises for other sec- 
tors are currently being explored. In addition, energy sector-related exercises were 
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held earlier in the year. DHS officials also stated that funding considerations for 
the critical infrastructure sectors and the ISACs would be based on their needs. 

Utilizing Sector Expertise 

In our discussions with ISAC officials, several, such as officials from the Surface 
Transportation and the Telecommunications ISACs, highlighted their analysis capa- 
bilities and, in particular, their analysts’ sector-specific knowledge and expertise 
and ability to work with DHS and other federal agencies. The ISAC Council also 
emphasized that analysis by sector specific, subject matter experts is a critical capa- 
bility for the ISACs, intended to help identify and categorize threats and 
vulnerabilities and then identify emerging trends before they can affect critical in- 
frastructures. Sector-specific analysis can add critical value to the information being 
disseminated, with products such as 24/7 immediate, sector-specific, physical, cyber, 
all threat and incident report warning; sector-specific information and intelligence 
requirements; forecasts of and mitigation strategies for emerging threats; and cross- 
sector interdependencies, vulnerabilities, and threats. 

The Council also emphasized that although government analytical efforts are crit- 
ical, private-sector analytical efforts should not be overlooked and must be inte- 
grated into the federal processes for a more complete understanding. The private 
sector understands its processes, assets, and operations best and can be relied upon 
to provide the required private-sector subject matter expertise. 

In a few cases, the integration of private-sector analytical capabilities with DHS 
does occur. For example, the Telecommunications ISAC, as part of Participation in 
National Homeland Security DHS’s National Communication System, has watch 
standers that are part of the DHS operations center and share information, when 
the information owner allows it and when it is appropriate and relevant, with the 
other analysts. In addition, a Surface Transportation ISAC analyst also participates 
in the DHS operations center on a part-time basis to offer expertise and connection 
to experts in the field in order to clarify the impact of possible threats. 

Participation in National Homeland Security Exercises 

The ISAC Council highlighted the need for ISAC participation in the national- 
level homeland security exercises that are conducted by the federal government, 
such as DHS’s May 2003 national terrorism exercise (TOPOFF 2), which was de- 
signed to identify vulnerabilities in the nation’s domestic incident management ca- 
pability. However, according to the Council, there has been little or no integration 
of active private industry and infrastructure into such exercises. For example, pri- 
vate industry participation in TOPOFF 2 was simulated. The Council believes that 
with such participation, both national and private-sector goals could be established 
during the creation of the exercise and then addressed during the exercise. 

The Council did identify examples where the private sector is being included in 
exercises, such as efforts by the Electronics Crime Unit of the U.S. Secret Service 
to reach out to the private sector and support tabletop exercises to address the secu- 
rity of private infrastructures. Further, according to a DHS official, the department 
has agreed to fund tabletop exercises for members of several ISACs, including Fi- 
nancial Services, Chemical, and Electricity, as well as a cross-sector tabletop exer- 
cise. 

Additional Challenges 

Additional challenges identified by our work and/or emphasized by the ISAC 
Council included the following. 

• Obtaining Security Clearances to Share Classified Information. As we 

reported last year, several ISACs identified obtaining security clearances as a 
challenge to government information sharing with the ISACs. Seven of the 15 
ISACs with which we discussed this issue indicated either that some of their 
security clearances were pending or that additional clearances would be needed. 

• Identifying Sector Interdependencies. Federal CIP policy has emphasized 
the need to identify and understand interdependencies between infrastructure 
sectors. The ISAC Council also highlighted the importance of identifying inter- 
dependencies and emphasized that they require partnerships between the sec- 
tors and the government and could only be modeled, simulated, or “practiced” 
once the individual sectors’ dynamics are understood sufficiently. The current 
short-term focus for the ISACs is to review the work done by the government 
and the sectors regarding interdependencies. Similarly, a DHS official acknowl- 
edged the importance of identifying interdependencies, but that it is a longer- 
term issue. 

• Establishing Communications Networks. Another issue raised through 
the ISAC Council’s white papers was the need for a government-provided com- 
munications network for secure information sharing and analysis. Specifically, 
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the Council suggested that although functionality would be needed to satisfy 
the ISACs’ requirements, DHS’s Critical Infrastructure Warning Information 
Network (CWIN) could be used as an interim, first-phase communications capa- 
bility. According to the Council, some of the ISACs are conducting routine com- 
munications checks at the analytical level in anticipation of expanded use of 
CWIN. In discussing this issue with a DHS official, he said that ISAC access 
to a secure communications network would be provided as part of the planned 
Homeland Security Data Network (HSDN). DHS recently announced a contract 
to initiate the implementation of HSDN, which is be a private, certified, and 
accredited network that provides DHS officials with a modern IT infrastructure 
for securely communicating classified information. According to DHS, this net- 
work will be designed to be scalable in order to respond to increasing demands 
for the secure transmission of classified information among government, indus- 
try, and academia to help defend against terrorist attacks. 

DHS Information-Sharing Plan 

At the time of our study, the relationship and interaction among DHS, the ISACs, 
sector coordinators, and other sector-specific agencies was still evolving, and DHS 
had not yet developed any documented policies or procedures. As we discussed ear- 
lier, HSPD-7 requires the Secretary of Homeland Security to establish uniform poli- 
cies for integrating federal infrastructure protection and risk management activities 
within and across sectors. According to a DHS official, the department is developing 
a plan (referred to as a “roadmap”) that documents tbe current information-sharing 
relationships among DHS, the ISACs, and other agencies; goals for improving that 
information-sharing relationship; and methods for measuring the progress in the 
improvement. According to this official, the plan is to define the roles and respon- 
sibilities of DHS, the ISACs, and other entities, including a potential overlap of 
ISAC-related responsibilities between IAIP and the Transportation Security Admin- 
istration. Further, the official indicated that, in developing the plan, DHS would 
consider issues raised by the ISAC Council. 

In summary, since first encouraged by federal CIP policy almost 6 years ago, pri- 
vate-sector ISACs have developed and evolved into an important facet of our na- 
tion’s efforts to protect its critical infrastructures. They face challenges in increasing 
their sector representation and, for some, ensuring their long-term viability. But 
they have developed important trust relationships with and between their sectors — 
trust relationships that the federal government could take advantage of to help es- 
tablish a strong public/private partnership. Federal agencies have provided assist- 
ance to help establish the ISACs, and more may be needed. However, at this time, 
the ISACs and other stakeholders, including sector-specific agencies and sector coor- 
dinators, would benefit from an overall strategy, as well as specific guidance, that 
clearly described their roles, responsibilities, relationships, and expectations. DHS 
is beginning to develop a strategy, and in doing so, it will be important to consider 
input from all stakeholders to help ensure that a comprehensive and trusted infor- 
mation-sharing process is established. 

Mr. Chairman, this concludes my statement. I would be happy to answer any 
questions that you or members of the subcommittee may have at this time. 

If you should have any questions about this testimony, please contact me at (202) 
512-3317 or Ben Ritt, Assistant Director, at (202) 512-6443. We can also be reached 
by e-mail at daceyr@gao.gov and rittw@gao.gov, respectively. 

Other individuals making key contributions to this testimony included William 
Cook, Joanne Fiorino, Michael Gilmore, Barbarol James, Lori Martinez, and Kevin 
Secrest. 

Mr. Thornberry. Thank you, sir. I appreciate your much more 
detailed written statement which I read last night, that goes into 
considerably more detail. 

Mr. McCurdy, if you can do 5 minutes, we will go ahead and 
have you at it. 

STATEMENT OF THE HONORABLE DAVE MCCURDY, 
EXECUTIVE DIRECTOR, INTERNET SECURITY AL LIANCE 

Mr. McCurdy. Mr. Chairman, I am used to a 2-minute rule, ac- 
tually. 

[Laughter.] 

I will submit even the summary of my statement for the record 
as well. Let me just briefly, as I understand what the sub- 
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committee is interested in. The Internet Security Alliance was ac- 
tually formed in April 2001, 5 months before 9—11. I was actually 
in Tokyo at an OECD meeting on 9-11 defining cyber security best 
practices. So we have been at this for quite some time. 

We formed a novel model. We had looked at the ISAC models 
and we in industry, in representing the Electronic Industries Alli- 
ance of over 2,500 member companies, found that those models 
were not sufficient for the needs of industry in improving cyber se- 
curity. We created a cross-sectoral international organization that 
integrates many of the security services into one coherent model. 
The Internet Security Alliance is structured in a fundamentally dif- 
ferent way than the traditional ISACs. 

Let me just briefly say what they are. Cross-sectoral, we have 
members from the financial industry, from insurance, telecommuni- 
cations, defense and security industries, consumer electronics, food 
products, and even the National Association of Manufacturers that 
represents over 12,000 companies. We designed the organization 
this way because quite frankly the Internet is structured this way, 
cross-sectoral. It knows no borders. It knows no boundaries, wheth- 
er it is national or international. A cyber-attack on the Internet af- 
fects a lot of these companies the same way. I do not care if you 
are AIG, Coca-Cola, Sony, Verizon or Visa, all of whom are mem- 
bers of the Internet Security Alliance. 

I said it is international. We have members on four continents. 
These are trusted partners, but they are dealing with similar con- 
cerns, and that is consistent with the national plan to secure cyber 
space. We are also developing security anchor programs in Latin 
America and other countries such as India. 

Finally, our model attempts to provide, when I say a comprehen- 
sive, coherent and integrated approach to cyber security, we go be- 
yond just information sharing. We had a partnership with the 
CERT/CC. I serve on the board of advisers for the Carnegie Mellon 
Software Engineering Institute and developed this relationship 
over quite some time on how they could improve their dissemina- 
tion of information and get the feedback from industry. 

We developed best practices. We are in our third practice book 
that just came out for small businesses. We had one for corporate 
leadership, the CEO-level leadership in major companies, and we 
had one for individual users. We have teamed with groups in order 
to make that work. We get that information from industry, working 
to build on the research also at Carnegie Mellon. These practice 
editions have been endorsed by TechNet and Partnership for Crit- 
ical Security, NAM, the U.S. Chamber, and others. 

In addition to that, we believe that wide distribution is critical, 
but currently it is not being done sufficiently. So we have developed 
some market-based incentives and some programs to try to get 
higher buy-in from the industry leadership. We have developed a 
program with AIG insurance where you have discounts if you fol- 
low best practices. There are tools being developed by a consortium 
on security trying to have metrics by which they can even deter- 
mine whether or not there is a qualified member in order to par- 
ticipate. 

Finally, a lot of this I think when people think of cyber, they 
think it is only an IT issue. It is both a physical and an IT issue. 
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They are interlinked. We have been doing this for some time. TIA, 
Telecommunications Industry Association, is our sector association 
in that space, and they have been a sector leader on critical infra- 
structure long before 9-1 1 or the recent concerns. 

We are also working on risk management relationships and ini- 
tiatives with industry. Lastly, I think the headline from this hear- 
ing and the question you really have is, how are we working with 
DHS? I commend DHS for their efforts. They finally have staff on 
the ground in place, and I think they are looking at developing 
plans. They appear to have decided on the ISAC Council as their 
prime link to the private sector, but the ISACs, while critical ele- 
ments in this struggle, quite frankly do not represent everyone. 

My concern from my experience, having sat where you do in this 
very room for many, many hours, I can assure you that govern- 
ment’s approach is often silo-based and that is part of the problem 
that we have seen in dealing with government institutions and 
sharing. We decided we had to reach beyond that. That is why we 
created the Internet Security Alliance. We want to work with DHS. 
We want to be fully integrated into their discussions and we want 
to be full members of the partnership, whether that means that we 
are a cross-sector ISAC at some point of a tier-one partner. We do 
not know what the classification should be, but we do reach out. 
We have a great deal of experience. 

We also have a great deal of experience with the CERT/CC on 
how we can help them improve the type of information which is 
relevant to industry. We were talking about information overload. 
I get emails every single day with another alert. There were four 
this morning, as a matter of fact. I think there is a way to narrow 
those. Mr. Dacey mentioned conference calls. We want to analyze 
the information and we pull groups together that actually take 
these alerts and translate them to meaningful, actionable items 
that the corporate sector or industry can actually work to improve 
their security. 

Again, I appreciate the opportunity. I look forward to working 
with you all. I commend you for your efforts. I know how serious 
you take this and how important it is for the nation. Again, this 
is just not a national issue. This is cross-border. It is international. 
We think we have opened the way to help address the bigger plan, 
the bigger strategy of reaching other countries as well. 

Thank you. 

[The statement of Mr. McCurdy follows:] 

Prepared Statement of the Honorable Dave McCurdy 

Thank You Mr. Chairman. 

My name is Dave McCurdy. I am President of the Electronic Industries Alliance 
and Executive Director of the Internet Security Alliance (ISAlliance). 

I am delighted to be here today to discuss how the federal government can im- 
prove its coordination with the private sector and thus, improve worldwide informa- 
tion security. 

As a cross-sector, international organization, which integrates many different se- 
curity services into one coherent model, the Internet Security Alliance, is structured 
in a fundamentally different way than traditional Information Sharing and Analysis 
Centers (ISACs). We believe this model has much to recommend, not as a substitute 
for the ISACs, but as a complement to them. I am concerned, however, that we are 
not yet seeing this potential realized. Greater involvement and coordination with 
the ISACs and the Department of Homeland Security (DHS) would be extremely 
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helpful to organizations like the ISAlliance, and the companies they represent and 
I believe would be in the best interests of our own national security. 

Today I would 1 like to cover three main points. 

1. I would like to outline the model the Internet Security Alliance operates 
under and suggest some fundamental differences from the traditional ISAC 
model. 

2. I want to discuss how this model facilitates the development of an integrated, 
comprehensive, and coherent approach to cyber security, and I want to offer a 
couple of examples of how this approach can enhance our efforts to promote 
cyber security. 

3. I want to raise some organizational issues regarding DHS coordination with 
models such as ours. I believe that organizations such as our need to be fully 
integrated into the public private partnership between DHS and the private sec- 
tor either as an inter-sectoral ISAC or with equivalent status within the tier 
one partnership with the ISACs. 

Before I begin I want to make our posture with respect to the ISACs very clear. 
About a quarter of our membership also participates in ISACs. Some of our Board 
members also serve on the Boards of various ISACs. We regard the ISACs as “com- 
rades in arms.” 

It is surely true that there are some issues unique to industry sectors that are 
most effectively dealt with by a sector specific domestic entity. However, the 
ISAlliance also concurs with the National Strategy to Secure Cyber Space that 
found that “some cyber security problems have national implications and cannot be 
solved by individual enterprises and sectors alone.” 

We do not seek to displace the ISACs; we seek to work more closely with them, 
and DHS. 

THE INTERNET SECURITY ALLIANCE MODEL 

CROSS-SECTOR INFORMATION SHARING & ANALYSIS AVAILABLE TO ALL 

The ISAlliance was created in April of 2001, five months before the attacks on 
the Pentagon and the World Trade Center. We created it because, even then, we 
saw the need for a new approach to the growing cyber threat. 

In contrast to the ISACs, which are generally structured along traditional indus- 
try specific silos, the ISAlliance has members from many different sectors. We de- 
signed the organization this way because the Internet is organized this way. Essen- 
tially, we are all using the same Internet. So, from the cyber security perspective 
the threats and attacks may be very similar regardless if you are Coca-Cola, Sony, 
Visa or VeriSign (all members of ours). As a result, there is much to learn from, 
and help can be offered to, your brother companies regardless of industry sector. 

As a member of the Board of Advisors of the Software Engineering Institute at 
Carnegie Mellon University, I have had substantial contact with the experts at the 
CERT/cc at Carnegie Mellon who educated me on this growing problem in 2000. We 
decided then that the private sector needed to not only contribute to, but to dem- 
onstrate leadership in making this critical infrastructure more secure. We devised 
a creative public private partnership, which integrated and maximized the com- 
plementary assets of CERT, the federal government and private industry. 

CERT/cc, which was funded primarily by the U.S. federal government, had long 
been recognized as the premier center for Internet threat and vulnerability informa- 
tion. But it lacked a practical channel to get this information to the private sector, 
or stimulate interest in the necessary education, training, policy development and 
incentive programs that would be required to fully achieve the goal of information 
security. 

EIA has been involved in physical security through the Telecommunications In- 
dustry Association (TIA) which is both a sector of EIA and an ISAC sector coordi- 
nator. Since we understood that physical and cyber security are most effectively 
dealt with in an integrated fashion, we sought a mechanism to bring these entities 
together. 

We decided on collaboration between CERT/cc and EIA called the ISAlliance. 
Using the EIA member companies as a marketing base we recruited corporations 
to join the ISAlliance. They paid dues, and in return, operating under strict non- 
disclosure agreements would receive access to prime CERT/cc information. They 
would share this information with each other and the CERT/cc to identify and ana- 
lyze looming threats and collectively work on solutions. 

Since the ISAlliance members were receiving more from CERT/cc than the general 
public they agreed to pay a fee for this benefit. It was seen as a user fee similar 
to that paid by patrons at National Parks. While some companies using other, non- 
CERT, the ISAlliance services paid substantial dues, we never wanted money to be 
a barrier to entry into the ISAlliance. Dues entitling companies to the same CERT/ 
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cc information (albeit fewer copies) were set as low as $3,000 a year — affordable for 
virtually any private firm. And, though we don’t like to publicize it for obvious rea- 
sons, we have made financial adjustments for companies who had difficulty making 
the specified dues payment. 

INTERNATIONAL 

The ISAlliance is also focused internationally, where ISACs tend to be U.S. — cen- 
tric. The ISAlliance has members on four continents. Our current Chairman of the 
Board. Dr. Bill Hancock, is from a British company and we have four other non- 
U.S. based companies on our Board along with eleven U.S. based companies. The 
international aspect of our efforts is important because cyber security is inherently 
an international issue. Many attacks originate offshore and implementing a truly 
effective means of securing cyber space must include finding and working with 
trusted offshore partners. 

As the U.S. National Strategy to Secure Cyber Space states, in part; “America’s 
cyberspace is linked to the rest of the world”. . . . Securing global cyber space will 
require international cooperation to raise awareness, increase information sharing, 
promote security standards. . .The United States will seek the participation of U.S. 
industry to engage foreign counterparts in peer-to-peer dialogue with the twin objec- 
tives of making an effective business case for cyber security and explaining success- 
ful means for partnering with government on cyber security.” 

I’d like to offer a quick example of our efforts. After making a presentation to the 
Organization of American States (OAS) first broad conference on cyber security last 
August, OAS staff requested that the ISAlliance construct a specific program to in- 
tegrate the private sector in the OAS region into the state-to-state programs for 
cyber security that were being developed. We came up with what we call our “Secu- 
rity Anchor” program. 

This program is built on the “Transition Partner” program developed at Carnegie 
Mellon University. Under the Security Anchor Program private sector entities would 
obtain a special membership with the ISAlliance, which will allow them to essen- 
tially become “branch offices” within their regions. The Security Anchor for the re- 
gion would distribute appropriate information about threats and vulnerabilities and 
hold meetings and conferences, but on local time providing translation as necessary 
for materials. The Anchor “tenant” would also be required to send personnel to Car- 
negie Mellon where they would be trained as trainers. The Anchor would then pro- 
vide this training in their region, for which they could receive payment. We believe 
providing a market incentive to our Anchor partner is the most efficient and effec- 
tive way to accomplish the goals set forth in our National Strategy. 

In this way we hope to make international cyber security “home grown.” We be- 
lieve this is the only way that we can hope to succeed in reaching the international 
goals as set forth in the National Strategy. The U.S. can’t expect to “export” secu- 
rity. 

AN INTERGRATED COMPREHENSIVE AND COHERENT APPROACH TO 
CYBER SECURITY USING MARKET FORCES AS INCENTIVES 

The ISAlliance attempts to provide its members with a comprehensive, coherent 
and integrated approach to cyber security that uses market forces to drive on-going 
improvements in cyber hygiene. 

INFORMATION DISSEMINATION AND ANALYSIS 

Like many ISACs, we begin with information dissemination and sharing about 
emerging threats, vulnerabilities and attacks on the Internet. We have historically 
done this though a contractual relationship with the CERT/cc as a founding partner 
in the ISAlliance. 

In our three years of operations we have sent out literally thousands of these no- 
tices. We just released our first quarter technical report to the membership, which 
showed that in 2004 alone we have already sent out through our e-mail channel 
hundreds of reports, which have been followed by scores of analytical conferences 
between the members and CERT/cc. 

When we, started several years ago, our prime activity was information sharing, 
mostly through e-mail notices. However, experience has taught us that simply dis- 
seminating information is by no means enough. In fact, our members have told us 
that at times there is too much information being circulated and the real need is 
to be able to separate out what is important and what is simply noise. 

Information analysis is critical if threat and vulnerability data is to be used effec- 
tively. We facilitate the analytical process with regularly scheduled, as well as spe- 
cially scheduled, meetings where in our members discuss the state of the network 
with the CERT/cc professionals. We have found the regularity of this process ere- 
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ates, over time, a sense of trust and confidence that we think is vital for effective 
information sharing. 

DEVELOPING BROADLY ENDORSED BEST PRACTICES 
While information sharing and analysis is a critical first step on the road to cyber 
security, is not sufficient to secure cyber space. Virtually every recent major attack 
we have experienced such as Blaster, Slammer, or MyDoom, resulted from a vulner- 
ability, which was already well known, in the community. 

At the ISAlliance we took the collaborative process of sharing information and 
built from it a systematic program of best practices. The process of developing the 
best practices is lead by the experts at Carnegie Mellon and CERT/cc and is con- 
sistent with the years of grounded research they have done and the theory of secu- 
rity that has evolved from their experience and analysis. 

However, we also involve the full membership in our processes, so that the per- 
spectives of actual businesses from multiple sectors and counties are folded into the 
final product. One advantage of this inclusive process has been that our practices 
have received an impressive level of support and endorsement from a wide breadth 
of the user community. 

For example, our first publication, “The Common Sense Guide for Senior Man- 
agers” was endorsed by the National Association of Manufacturers (NAM) which 
represents 12,000 of the most traditional of industries, as well TechNet which pri- 
marily represents the high-tech companies in Silicon Valley. Internationally it has 
been translated into Spanish and Japanese and was endorsed by the U.S. India 
Business Council and distributed by the Organization of American States. 

CREATING MARKET INCENTIVES TO ENCOURAGE ADOPTION OF BEST 
PRACTICES— THE QUALIFIED MEMBER PROGRAM 
However, developing best practices is also not enough. CEOs are overwhelmed 
with information. To succeed with them on this subject, which has traditionally 
been viewed as a “cost center,” you have to do more than just tell them it’s the right 
thing to do. We have to talk about issues they care about, like profitability, liability 
protection and marketing. We need to develop market incentives to increase the Re- 
turn on Investment (ROI) for cyber security. 

The ISAlliance has taken the lead on this issue. In the final quarter of 2003 we 
signed an agreement with AIG, which is the world’s market leader in cyber insur- 
ance. Under this new agreement AIG will provide insurance premium credits of up 
to 15% for companies that will join the ISAlliance and subscribe to our best prac- 
tices. We believe this is the first operating program which specifically ties a widely, 
and independently endorsed set of cyber security best practices directly to lower 
business costs. 

We are working through AIG and the Global Security Consortium (GSC), com- 
prised of the big auditing and accounting firms, on empirical standards with which 
we will be able to use to measure compliance with these practices. Not only will this 
tool enable us to more reliably determine who qualifies for the credits, but also it 
opens up another potential market incentive for improved security. We want to in- 
terest firms in marketing cyber security. 

Firms that achieve a specified score will be deemed a “Qualified Member” allow- 
ing them to use that designation as a market differentiator. Through this mecha- 
nism we hope to make cyber security a useful marketing tool for good actor compa- 
nies, much like the Baldrige Award has been used for high quality companies. GSC 
hopes to have their tool completed shortly and then this phase of the program can 
begin. 

DISCOUNTED EDUCATION AND TRAINING COMPLETE THE LOOP 
Finally, for firms who don’t yet score at an appropriate level to qualify for our 
discounts, we offer access to a wide range of training programs through Carnegie 
Mellon University. In keeping with the market orientation of our program, the more 
active a company is in the ISAlliance, the greater the discount they can receive on 
their training. Our interest is to accurately inform organizations where they stand 
in relation to the widely endorsed best practices, and help them reach an appro- 
priate level if they are not already there. Most importantly, the people doing the 
training are operating on the same assumptions and best practices that we started 
with in the first place thus creating a truly coherent program. 

BEST PRACTICES FOR SMALLER BUSINESSES 
This program is just one example of our activities. In fact, this afternoon we will 
be testifying before another Committee on a similar program, this time specifically 
targeted to the unique needs of smaller businesses. The National Cyber Summif, 
recognizing the value of programs such as I have just described, and realizing that 
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there was not nearly enough being done to reach out to smaller businesses, asked 
us to undertake this new effort this past December. 

Although smaller businesses have not until now been our prime market interest 
we agreed to take up the challenge. Working with the U.S. Chamber of Commerce, 
the National Federation of Independent Business (NFIB) and NAM we followed the 
same integrated, market centered model we described above. We held ten focus 
groups involving nearly 100 small businesses to find out what needed to be done 
to improve their cyber security. 

What we learned was that smaller institutions are indeed different from larger 
ones. In fact, we found that organizations across a wide spectrum of business types 
had remarkably similar problems from a cyber perspective. The similarities for 
these businesses were not the type of business they were in, but the size of their 
business and the extent of the technology available to them. As a result, the “Com- 
mon Sense Guide to Cyber security for Small and Medium Sized Businesses” looks 
quite different from the Guide for Senior Corporate Managers. 

We are happy to report that what was not very different is the response, which 
has been extremely positive. Already the Cyber Security Partnership that grew out 
of the National Cyber Summit as well as on the web sites for the ISAlliance, the 
Electronic Industries Alliance and the National Association of Manufacturers is dis- 
tributing the Small Business Guide. The U.S. Chamber of Commerce has informed 
us they expect to endorse the document at their next Board of Directors meeting 
and the Financial Services Sector Coordinating Council, an alliance of 28 financial 
services trade associations will be making it available to their members and holding 
a series of meetings with thousands of its members where the Guide will be high- 
lighted. 

Given the fact that this project is only a couple of months old we are naturally 
very encouraged. When mature, we fully expect this program will be coherent, meas- 
urable and market driven just as was the case with the Senior Managers program. 

CYBER AND PHYSICAL SECURITY— REACHING OUT TO RISK MANAGERS 

Another area we are working on is the integration of cyber and physical security. 
We believe, as Secretary Ridge has said, that you can’t have cyber security without 
physical security and you can’t have physical security without cyber security. How- 
ever, in corporate America there remains a misconception that cyber security is an 
“IT problem.” While obviously there are many IT aspects to cyber security it is not 
properly classified only as an “IT problem.” 

Cyber security is a management problem. It is an economic problem. It is an em- 
ployee training, compliance and retention problem. Most of all, cyber security is a 
risk management problem. However, most corporate structures still relegate the dis- 
cussion of cyber security to the IT department rather than fully integrating it into 
the discussions with physical security and risk management. We have heard a good 
deal of talk recently about structures within the federal security bureaucracy which 
may have limited information sharing and proper threat management. Private in- 
dustry is not immune to these same types of organizational problems. 

Therefore, we have recently undertaken a pilot study reaching out to the risk 
managers in industry in an attempt to find out how we can better involve them in 
the cyber security discussion. We believe that it’s critical to better integrate physical 
and cyber security issues within the overall corporate risk management structure. 
We are trying to find out how we can do that, from the people who are actually 
making the organizational, budgeting, and resource allocation decisions. 

Although we have initiated this study, it is too early to report results. We do ex- 
pect however, that, as was the case with our other projects, we will learn from this 
effort and we can make further impact in securing cyber space. We look forward 
to sharing these approaches both with industry, and to the federal government. 

NOT JUST SERVICES; A COHERENT INTEGRATED PROGRAM 

We believe the comprehensiveness of the ISAlliance program is making a positive 
contribution to the cause of information security. 

• Hundreds of technical notices about Internet threats and vulnerabilities each 
year to our members from the best source available to private industry. 

• Scores of analytical conferences to discuss the data and what to do about it 

• Development of best practices that are widely endorsed and disseminated 
both domestically and abroad. 

• Development of independent, auditable third-party evaluation tools and meth- 
ods 

• A program of market-based incentives to improve the ROI for cyber security 

• Education, training and public policy programs. 

• Initiating new programs to push the envelope into heretofore underserved 
populations 
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But the key aspect is that it is a coherent program. We start with the hard data 
we get from CERT and we blend into that the real world needs and experiences of 
industry and develop programs, practices and policies which can drive pragmatic 
improvements. And then, if individual entities can’t make the grade they are offered 
training based on the same theories and practices that were used to develop the 
best practices. 

COORDINATING WITH THE ISACS AND DHS 

As proud of these accomplishments as we are, we have some concerns for the fu- 
ture. 

We supported, and continue to support, the creation of the Department of Home- 
land Security. We in no way wish to be critical of the effort and sincerity of the 
people who are working at DHS. They are working very hard to accomplish an enor- 
mous task virtually immediately. We sincerely hope that our testimony at this point 
will be taken in the spirit it is given, constructive suggestions that we believe will 
assist all of us who are working in this space to be more effective. 

In fact the ideas we offer the Committee today have been previously raised with 
staff and principals and we are continuing to work on them. We anticipate that in 
the due course of time they will be satisfactorily resolved. We believe, however, that 
there are very important issues, which must be appropriately addressed. 

DHS SHOULD COORDINATE WITH ALL INFORMATION SHARING ORGANI- 
ZATIONS— NOT JUST ISACS 

We suggest DHS broaden its systematic communication to include organizations, 
such as the ISAlliance, who are providing important services, although they are not 
ISACs. 

In the interdependent cyber world the “critical infrastructures” may be dependent 
on the “non-critical” organizations that service them. In addition to the IT, telecom 
and financial institutions we represent we count the National Association of Manu- 
facturers among our sponsors. These are the people who manufacture the parts used 
to construct our defense products and operate the supply chains upon which many 
“critical” businesses rely. These organizations also need to be systematically in- 
cluded in the on-going public private partnership with DHS. 

Moreover, while we are focused on cyber security today from a national security 
perspective, most Internet attacks have nothing to do with international terrorism. 
Cyber security is also a critical business issue and from a business perspective the 
“non-critical” portions of the economy deserve as much protection as the rest of the 
economy. 

The Department of Homeland Security seems to have decided upon the ISACs and 
the ISAC Council as the primary linkage to the private sector. Since we are not for- 
mally an ISAC, we are not part of the ISAC Council and hence we are not in many 
of the meetings and discussions from which DHS appears to be receiving their pri- 
mary input. We would like to work with DHS and the ISAC Council to integrate 
our broad membership into this forum. 

Two years ago Congress passed legislation, which attempted to facilitate the shar- 
ing of information between private industry and the government. In the initial 
drafts of that bill the adjustments to FOIA, etc. were confined to ISACs. It was cor- 
rectly pointed out to the drafters that there is in fact information sharing outside 
of the formal ISAC structure and the legislation was redrafted to read “information 
sharing organizations.” We believe DHS should follow this precedent in developing 
their public private partnership. 

COMPANIES NEED THE CERT/CC DATA THEY HAVE COME TO RELY ON 

Over the past several years the nearly 60 companies who are members of the 
ISAlliance have come to rely on our working relationship with CERT/cc. Last year, 
DHS announced that they would be launching USCERT utilizing in main the facili- 
ties formerly known as CERT/cc at Carnegie Mellon. 

We have no objection to DHS creating USCERT. Indeed, we see it as following 
and extending the model we created over three years ago for how to disseminate 
CERT/cc data to the private sector. 

However, it would be problematic if suddenly the ISAlliance members who have 
relied on this information to build their corporate security plans and policies, are 
now denied access to that data. 

Indeed, such an outcome could result in a substantial reduction in corporate cyber 
security as companies scramble to find alternative ways to receive this information. 
Moreover, the fact that this data might now be available though an ISAC is not an 
answer since the majority of the ISAlliance members, do not participate in ISACs 
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We would like to work with DHS to assure that the transfer from CERT/cc to 
USCERT and their new partners does not ironically result in less information being 
available to some worthy companies. 

I want to conclude by noting that DHS has been open to meeting with and dis- 
cussing ways to coordination with us. Just a few weeks ago I met privately with 
Assistant Secretary Liscouski who was most gracious and cooperative. I also want 
to single out Director Yoran, who has been especially helpful and has directed that 
at least for the short term the ISAlliance not be denied access to the data its mem- 
bership has come to rely on. We are now hoping to finalize an appropriate long-term 
solution. Moreover, DHS staff have attended meetings with our membership and 
been very supportive. We want to thank and congratulate the whole team at DHS 
for their commitment and efforts. 

And finally I want to thank you, Mr. Chairman and the joint Committee for all 
your work and for holding this hearing this morning. 

Mr. Thornberry. Thank you. A lot of issues to pursue. This 
hearing will stand in recess until five minutes after the conclusion 
of these votes. It will be more than 30 minutes, so if you all have 
a chance to go get something to eat or whatever, please do. 

We stand in recess. 

[RECESS] 

Mr. Thornberry. We are going to go ahead and get started. I 
think Mr. McCurdy will be back shortly. Apparently, he went down 
to have a sandwich and probably had long lines. 

Thank you all again for your patience. Ms. VanDe Hei thank you 
particularly for yours. Now, we will turn to you and give you an 
opportunity to summarize your statement and then we will turn to 
questions. 

STATEMENT OF DIANE VANDE HEI, VICE CHAIR, 

INFORMATION SHARING AND ANALYSIS CENTER COUNCIL 

Ms. VanDe Hei. Thank you, Mr. Chairman. I assume that my 
written testimony will be part of the record. The summary can be 
as well. 

Mr. Thornberry. Previously, we had unanimous consent for all 
full written statements to be made part of the record. 

Ms. VanDe Hei. I am also assuming you have saved the best for 
last, so I thank you, Mr. Chairman. 

Mr. Thornberry. Absolutely. Let me just say this, we are much 
more relaxed on time now. We have no more votes today, so that 
may work to your benefit or your detriment, depending on how you 
look at it. 

Ms. VanDe Hei. Thank you, Mr. Chairman and distinguished 
members of the subcommittees. It is an honor for me to be here 
today to talk with you about the private sector’s relationship with 
the Department of Homeland Security. My name is Diane VanDe 
Hei. I serve as the vice chair of the ISAC Council. I also serve as 
the executive director of the Association of Metropolitan Water 
Agencies and the WaterlSAC, Water Information Sharing and 
Analysis Center. 

In the way of background, the ISACs originated when the Fed- 
eral Government issued its policy on critical infrastructure protec- 
tion, otherwise known as Presidential Decision Directive 63. That 
directive carried through to the new Administration but it is now 
embodied in a new directive called HSPD-7. I cannot tell you what 
it stands for, but we do pay attention to what it says. It continues 
the emphasis on ISACs and the need to share information. 
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The ISAC Council brings together 14 sectors at this point, includ- 
ing the eight originally designated critical infrastructures. We have 
tried to be inclusive, rather than exclusive, wanting to learn from 
each other. The goal of the ISAC Council is to look at not only how 
we can learn from each other in terms of the models we use, but 
also to look at interdependencies. We have formed trusted relation- 
ships with the other sectors including electric, rail sector, and oth- 
ers so that if something happens to them, they can work with us. 
One of the primary goals of the ISAC Council was to build that 
kind of trusted relationship among sectors, but also to begin to look 
at how we could better share information with the government and 
the government could share it with us. 

To improve the ISACs and to help communicate with govern- 
ment, the ISAC Council has developed eight white papers that re- 
flect the collective analysis of the members of the ISACs and cover 
a broad set of issues and challenges. These papers recognize the 
critical leadership role played by the private sector with respect 
both to the organizational structure established in the ISAC, for 
analysis and information sharing, and in the interaction of the 
ISACs with the Department of Homeland Security and other gov- 
ernment agencies addressing the challenges of infrastructure pro- 
tection. We have shared these papers with Hill staff, DHS and 
GSA. 

One of the primary challenges to government and the private 
sector is the establishment of a trusted partnership. You have un- 
doubtedly heard that a number of times. As I think you all know, 
trusted partnerships cannot be legislated, regulated or even stipu- 
lated, nor can partnerships be purchased, traded or incorporated. 
We have learned that our ISACs need the full support and con- 
fidence of certain key elements of government to create and main- 
tain a successful comprehensive security strategy. 

Furthermore, we are also keenly aware that we, the critical in- 
frastructures, need to maintain a trusted relationship with our gov- 
ernment partners so that we can work with them and their staffs 
to maintain the delicate balance between security and privacy. Our 
relationship with DHS has had a few bumps in the road, but over- 
all we have progressed, and I believe have common goals and agree 
on the strong need to partner in information-sharing and analysis. 

As with the maturation of DHS, so has each of our collective 
ISACs. I do believe that the government assisting the private sec- 
tor with baseline funding for certain sectors is ideal. The 
WaterlSAC, the one I am most familiar with, for example has re- 
ceived funding from Congress and the U.S. Environmental Protec- 
tion Agency, while we as a sector continue to build the private sec- 
tor contribution to the ISAC. Although the information on the 
WaterlSAC is available to 54,000 community water systems and 
over 15,000 publicly owned waste water treatment facilities, our fee 
for service is based on populations served. We do not differentiate 
between the kind of information utilities receive, but we differen- 
tiate based on the size of the system. The range in price is from 
$500 a year to $7,500 a year. 

By doing this, we hope to get all of the utilities subscribing to 
the ISAC. Having said that, that has not happened. So our next en- 
hanced phase of the WaterlSAC is going to be development of a 
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push email service that will go to thousands of drinking water and 
waste water, utilities, a service that will send DHS and EPA no- 
tices and advisories that need to be sent out simply because that 
is the ethical thing to do. So we are working on that this year and 
hope to have the new system in place before the end of the year. 

Other ISACs, as you might expect, are structured differently de- 
pending on the composition of the sector and the breadth and scope 
of the services that sector has decided is needed. Banking and fi- 
nance is different from water is different from electric is different 
from telecom. 

In addition, the DHS IAIP regularly meets with the ISAC Coun- 
cil and listens to many of our concerns regarding the need for their 
strong support of the ISACs and the improvement of our informa- 
tion-sharing capabilities. 

If I could leave you with two recommendations, it would be these. 
We need your help to ensure that the private sector’s investment 
in their ISACs is built upon and strengthened. I believe that once 
you lose this voluntary work, research that people have been doing, 
that it will be lost for good. So we need your help to ensure that 
the investments that have been made in building these things is 
built upon, used and enhanced. 

Second, we need your help to insist that the private sector be in- 
cluded up front in the analysis of intelligence. Government must 
learn to trust infrastructure owners and operators with real infor- 
mation that allows us to apply our resources in a smart way to pro- 
tect the infrastructures. Again, I will just give you a quick exam- 
ple. The WaterlSAC employs analysts that have top security-plus 
clearances so that they can communicate with intelligence officials 
in order to provide insights into what its impact on water might 
be. Even with that capability, we find that it is after the fact that 
we are often involved, or allowed to participate in any sort of re- 
view into what a threat to our water system might be. So we could 
use your help in that manner as well. 

That concludes my remarks. I would be glad to answer any ques- 
tions you might have. 

[The statement of Ms. VanDe Hei follows:] 

Prepared Statement of Diane VanDe Hei 


Introduction 

Good afternoon, Chairman Thornberry, Chairman Camp, and distinguished mem- 
bers of the subcommittees. It is an honor and a privilege to meet with you today 
to discuss the private sector interaction with the Department of Homeland Security 
(DHS). 

I would like to thank both the Cyber Security, Science, Research & Development 
Subcommittee and the Infrastructure and Border Security Subcommittee for cre- 
ating this important opportunity and inviting the ISAC Council to be here today. 

My name is Diane VanDe Hei. I serve as Vice Chair of the Information Sharing 
and Analysis Center (ISAC) Council. I am also Executive Director of the Association 
of Metropolitan Water Agencies as well as the Water Information Sharing and Anal- 
ysis Center (WaterlSAC). 

Background 

ISACs originated when the Federal Government issued its policy on Critical Infra- 
structure Protection, otherwise known as Presidential Decision Directive 63. PDD- 
63 has been replaced with HSPD-7, to authorize and encourage national critical in- 
frastructures to develop and maintain ISACs between the private sector in coopera- 
tion with federal government as a means of strengthening security and protection 
against cyber and operations attacks. 
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The ISAC Council 

Homeland security presents significant challenges for the ISAC community and 
we look forward to working directly with you in the coming months. The work you 
are doing is extremely important and you have the commitment of the ISAC Council 
to do everything we can to assist in protecting the critical infrastructures of the 
United States. 

I am here today to briefly discuss the ISAC Council and its role in protecting crit- 
ical infrastructures. Members of the subcommittees, the ISAC Council voluntarily 
formed almost two years ago. Our goals are to discuss interdependencies and how 
we can develop better communications — among the various sectors and across bor- 
ders — as well as what information should be shared on both physical and cyber 
issues within the sectors and with the government. 

The Council has grown from representing eight sectors to include 14 sectors. In 
addition to the private sector membership, the ISAC Council also includes govern- 
ment ISAC’s such as Emergency Management and Response who report to DHS as 
well as the Multi-state ISAC. 

Early on the ISAC Council saw the need to be a very inclusive group. Although 
each of our sectors is unique in composition they are also intimately intertwined 
with each other, and a catastrophe in one sector can impact many others. We have 
seen this on a number of occasions. Take 9/11 for example, we had a physical impact 
on the twin towers, which impacted telecommunications and electric services, as 
well as closing Wall Street for four business days. Additionally, the northeast power 
outage impacted several sectors including drinking water, wastewater, transpor- 
tation and small businesses alike. 

To improve the ISACs and to help communicate with government, the ISAC Coun- 
cil has developed eight white papers that reflect the collective analysis of members 
of the ISAC Council and cover a broad set of issues and challenges. The topics in- 
clude: 

• Government — Private Sector Relations 

• HSPD-7 Issues and Metrics 

• Information Sharing and Analysis 

• Integration of ISACs into Exercises 

• ISAC Analytical Efforts 

• Policy Framework for the ISAC community 

• Reach of the Major ISACs 

• Vetting and Trust 

These papers recognize the critical leadership role played by the private sector, 
with respect both to the operational infrastructures established in ISACs for anal- 
ysis and information sharing and in the interaction of ISACs with the Department 
of Homeland Security and other government agencies addressing the challenges of 
critical infrastructure protection. We have shared these papers with Hill staff, DHS 
and GSA. 

We believe that these papers are only the beginning steps in tackling the serious 
policy and process issues challenging the implementation of an effective private sec- 
tor and government information sharing and analysis partnership. The ISAC Coun- 
cil is continuing to work on concrete actions to increase ISAC support to the nation. 
To facilitate this effort, the ISAC Council members communicate on a daily basis 
(conference calls or by email) on operations and on an as needed basis for large new 
vulnerability announcements and/or incidents. 

Government — Private Sector Partnerships 

One of the primary challenges to government and the private sector is the estab- 
lishment of trusted partnerships. I believe we all agree that partnerships between 
government and the private sector are essential and since 9/11, it has become even 
more critical for these partnerships to mature in order to effectively address home- 
land security issues. 

As you all know, trusting partnerships cannot be legislated, regulated, or even 
stipulated. Nor can partnerships be purchased, traded or incorporated. 

Partnerships are built between people and organizations that recognize the value 
in joint collaboration toward a common end. They are fragile entities that need 
to be established and maintained by all participants and built upon a foundation 
of trust. 

We have learned that our ISAC’s need the full support and confidence of certain 
key elements of the government to create and maintain a successful and comprehen- 
sive security plan. Furthermore, we are also keenly aware that we, the critical infra- 
structures, need to maintain a trusted relationship with our government partners 
so that we can work with them and their staffs to maintain the delicate balance 
between security and privacy. 
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Our relationship with DHS has had a few bumps in the road, but overall we have 
progressed and, I believe, have a common goal and agree on the strong need to part- 
ner in information sharing and analysis. 

As with the maturation of DHS, so have each of our collective ISAC’s. I do believe 
that the government assisting the private sector with baseline funding for certain 
sectors is ideal. The WaterlSAC, for example, has received funding from Congress 
and the U.S. Environmental Protection Agency (EPA) while we continue to build the 
private sector contribution to the ISAC. Although the information on the 
WaterlSAC — available to 54,000 community water systems (90 percent publicly 
owned and 10 percent investor owned) and 15,000 publicly owned treatment 
works — is available to all subscribers, our fee for service to these utilities is tiered 
based on population served. By doing so, we hope to make the WaterlSAC affordable 
to all drinking water and wastewater utilities. In addition with the help of congres- 
sional funding, this year we will broaden the reach of the WaterlSAC by developing 
a push email system that will be capable of reaching thousands of drinking water 
and wastewater utilities with federal advisories and notices. 

Other ISACs, as you might expect, are structured differently depending on the 
composition of the sector and the breadth and scope of the services the sector de- 
cides is needed. That being said, we must keep our ISAC models in tact, meaning 
that the government should not attempt to dictate how the individual ISACs are 
structured nor how information is provided analyzed and reported to government. 

On a very positive note, DHS has agreed to pilot the HSIN network with the 
water and electric sectors and has also provided funding to do tabletop exercises 
with the Financial, Telecommunications, and Electric Sectors. 

In addition, DHS IAIP regularly meets with the ISAC Council and listens to many 
of our concerns regarding the need for their strong support of the ISACs and the 
improvement of our information sharing capabilities. 

Summary 

The ISAC Council plays an important role in homeland security. It brings to- 
gether diverse sectors, examines commonalties and most importantly cements trust- 
ing partnerships that allows us to share information, learn the best from each other 
and enhance communication among interdependent sectors. 

If I could leave you with two recommendations it would be these: We need your 
help to ensure that the private sector’s investment in their ISACs is built upon and 
strengthened. Once lost, this type of voluntary commitment will be very difficult if 
not impossible to rebuild. Secondly, we need your help to insist that the private sec- 
tor be included “up front” in the analysis of intelligence. Government must learn 
to trust infrastructure owners/operators with real information that allows us to 
apply our resources in a smart way to protect the infrastructure. 

Thank you for the opportunity to testify today. I would be happy to answer any 
questions. 

Mr. Thornberry. Thank you. 

Ms. Lofgren? 

Ms. Lofgren. I am interested, Ms. VanDe Hei, on how not every 
water entity belongs to the ISAC. Am I correct? 

Ms. VanDe Hei. That is correct. 

Ms. Lofgren. So how do you disseminate and communicate with 
those entities that are part of the whole system, but not actually 
part of the ISAC? 

Ms. VanDe Hei. From 9-13-2001, the first thing we did was to 
develop an email push system that could reach thousands of utili- 
ties. We maintain that today. So although the subscribers to the 
WaterlSAC receive it, the WaterlSAC is both the knowledge base 
that we house sensitive information on, and also a means of send- 
ing out encrypted email. At the same time, we have maintained the 
push email system that we had developed almost three years ago. 
So when need be, we just push it out. 

This advanced system that I was talking about earlier where we 
were developing a new system where it would just be pushed out 
to thousands of utilities, we have the funds to do that today and 
we hope to have that by the end of the year. So we will be reaching 
both subscribers and those who do not join the WaterlSAC. 
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Ms. Lofgren. Looking at it from the other point of view, the in- 
formation that DHS needs about threats, from what Mr. Liscouski 
said, they are dependent upon the entities involved. So you would 
have information about your part of the water world. How do you 
involve the rest of the water world that is not a part of the ISAC 
in that threat assessment activity? Are they asked to participate? 
How are they identified and included? 

Ms. VanDe Hei. In the assessment of their individual utilities? 

Ms. Lofgren. We have yet to accomplish a comprehensive threat 
assessment. 

Ms. VanDe Hei. Yes. 

Ms. Lofgren. What I think the testimony is that we are solic- 
iting information from various entities in charge of aspects of 
American life about what the threat is. ISACs are part of that pro- 
tocol, but not everybody who is a part of the world is a part of the 
ISAC. How do we include them? Do you play a role in that? Does 
the Department do it directly? 

Ms. VanDe Hei. What we have done is we have included both 
on the secure site and on the public site an incident reporting form 
that anyone can fill out. It comes into the WaterlSAC for the ana- 
lysts to look at. That information is shared with the intelligence 
community, particularly if it looks like it is a pattern in a region. 
So we have it available both on the private site and the public site. 
So you could go to the public site and report an incident, and it 
would go to the analysts and be treated seriously. 

Ms. Lofgren. That may or may not be good news if it is a public 
site and the terrorists have access, too. 

Ms. VanDe Hei. It will go into the system is what it will do. 

Ms. Lofgren. Have you, for example in your ISAC, been solicited 
for critical information, threat assessment information? 

Ms. VanDe Hei. No. Drinking water systems are a little bit dif- 
ferent in that they were required in 2002 to do vulnerability as- 
sessments and to provide them to EPA. So we know that the 500 
largest systems serving over 100,000 people, those are done. 

Ms. Lofgren. Right, but we do not know whether DHS has actu- 
ally availed themselves of that information. 

Ms. VanDe Hei. We do not, but they are being treated as sen- 
sitive documents. I understand that they have requested the ability 
to view them. How often, how frequently, I am not privileged to 
that information. 

Ms. Lofgren. Just out of curiosity, thinking about this is struc- 
tured, in California, if you know, who belongs to the ISAC in the 
water world? Who belongs and who does not belong in the 
WaterlSAC? 

Ms. VanDe Hei. I do not have that list with me today. 

Ms. Lofgren. Could you send it to me later? 

Ms. VanDe Hei. Sure. 

[No list provided to the Committee by the time of printing.] 

Ms. Lofgren. I appreciate that. Thank you very much. 

I am interested, Mr. Dacey, on the ISACs, it is the same ques- 
tion. The Department of Homeland Security needs to reach out for 
this critical infrastructure assessment. Do you know what DHS is 
doing to reach out to non-ISAC entities for this information? 
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Mr. Dacey. I am not familiar with the exact actions they are tak- 
ing, but I think that is certainly an area that has been identified 
by pretty much everyone as an area that needs to be addressed. If 
you look broadly across the ISACs when they were initially formed, 
although if you look at the numbers a large portion of the oper- 
ations of the industry generally are represented, oftentimes that is 
concentrated in a relatively small number of entities that are the 
leaders in those industries. We have a large number, and we gave 
some examples in our testimony in financial services, a large num- 
ber of entities that are not participants in the ISACs, but are mem- 
bers of the industry; that are important, but do not represent the 
same level of volume. So I think that has been a longstanding 
issue. 

With respect to financial services, they actually worked with the 
folks at Treasury who is their sector-specific agency, and came up 
with what is called the next-generation ISAC, because their views 
were that this rebel population was not willing to pay a significant 
amount of money in order to participate in the ISAC. So they have 
developed a model where there is a certain basic level of services 
that are available free to all participants who want to join the 
ISAC and then have a tiered approach where you pay more at dif- 
ferent levels to get a higher level of services. I think that is an 
issue that needs to be addressed. There are tiers in several of 
them, but not certainly across all of them. That is one of the areas 
that needs to be thought through as to how that will be accessed 
and how that information will be paid for, whether the Federal 
Government should continue to fund communications for this type 
of thing for that layer. 

Additionally, there are some ISACs that have the funding actu- 
ally to try to develop some of their operations, because again those 
were concerns about how they would fund their initial operations 
and set up, and then there was Federal funding to help that get 
started as well. 

Ms. Lofgren. I guess that raises a question of if the financial 
obligations are a barrier to participation and it is really in the in- 
terests of the Nation that people participate, whether we ought to 
put those, I mean, there is a dual purpose. The entity involved is 
going to benefit, but the reason why we were asking about these 
ISACs is to protect America against terrorist threats. If they are 
not participating because of the fee structure, perhaps we should 
not have that fee structure at all if we really want entities, both 
private and public, to participate. 

Mr. Dacey. It gets back to the basic models. These were set up 
as voluntary organizations. To the extent that their respective 
memberships felt it was cost-effective, they funded those operations 
and provided the level of services that were appropriate for that 
particular sector. 

Ms. Lofgren. Right, but from their point of view. 

Mr. Dacey. Exactly, from their point of view. That gets to the 
next question, well, if the Federal Government has expectations 
about the level of capabilities and services that are to be provided 
by these ISACs, that needs to be articulated and discussions en- 
tered into with industry as to how that would be paid for; whether 
incentives might be appropriate. 
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Ms. Lofgren. Do you have a recommendation on how these 
might be changed? Would you think about whether you could give 
us a recommendation that would forward the government’s interest 
in having sectors which are not currently participating participate? 

Mr. Dacey. We certainly can look into that. We have a broad rec- 
ommendation we have had out for a number of years, at least for 
a year, that the sectors needed to assess the need for additional 
public policy tools to provide the appropriate incentives for partici- 
pation in ISAC and other CIP activities. So we have had that broad 
recommendation out starting basically in January and February of 
last year. 

Ms. Lofgren. And you think we could just adopt that and that 
would solve it? 

Mr. Dacey. I think you need to think about this from a strategic 
level and think about how you want to do that, not that one size 
fits all. How do you want to apply those incentives to the sectors? 
I think you need some ground rules, some criteria, some structured 
process so that it is transparent as to how the government is going 
to go about doing that process. 

Ms. Lofgren. Right. OK, I want to think about that. 

Finally, and I do not want to hog the time here, the Chairman 
is being indulgent and I am sorry I missed your testimony, Mr. 
McCurdy, and the two secretaries, but has the Department of 
Homeland Security met with the variety of industry partners that 
you represent to get their assessment of threat in this sort of quest 
for the holy grail of the threat assessment that we are waiting for? 

Mr. McCurdy. First of all, the Internet Security Alliance was 
formed, Ms. Lofgren, as a private, it was really the first public-pri- 
vate partnership, to be honest, because we teamed with Carnegie 
Mellon and Carnegie Mellon was running the CERT which was 
funded by the Department of Defense. Their incentive was to try 
to reach out to the private sector which had a lot of expertise, but 
it was not getting out to industries. Together, we came up with the 
new model of having the cross-sector relationship and inter- 
national. There are 88 CERTs around the world, and yet there is 
not the kind of coordination that we felt was needed, nor was there 
the incentive in a lot of other countries to even involve the private 
industry, even though private industry owns about 85 percent of 
the infrastructure. 

So DHS has gone through an evolution, as you know. As I stated 
in my earlier comments, we were officially launched 5 months be- 
fore 9-11. We were formed prior to that. This was an effort from 
industry in trying to gain greater access to information that we felt 
was critical in this continuum of ensuring that the Internet itself, 
the best practices and the standards and the security, was in- 
creased. 

DHS, I think now that they do have people in key positions, both 
Mr. Liscouski and Amit Yoran, have been more receptive to our in- 
volvement and to our comments. One of the critical points that 
needs to be raised, it is true, one size does not fit all. My concern, 
having spent as much time as I have in government, is back in the 
intelligence days and also in defense, there is a tendency to become 
stovepiped. We felt in this age that we had to cross-cut that. 
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The second thing is, somewhat to our chagrin, there has not been 
the level of concern by certain levels within industry, corporate 
leadership, to provide the funding or even the awareness that there 
was as much at risk. That is why we developed the best practices 
for the C-level entities and for the organizations, trying to raise 
this concern, and also have them ask themselves in their organiza- 
tions and enterprises the questions that they should be asking to 
understand what their level of security is. The second point is, 
whether it is a push system or a pull system, I think there have 
to be incentives for industry to participate at certain levels. We 
have a fee structure. At one level, it is quite high, but we have 
more members than most of the ISACs. The reason they have 
joined, early on it was because they wanted access to the informa- 
tion, but we learned something in this multi-year process, now 3 
years, and that was information alone is not enough. You need to 
be able to analyze it. You need to understand it. So we convened 
these working groups. If there is a call, they can quickly filter 
through and say, I do not have that particular information; SNMP 
is not my concern. OK? I will not participate in that call. 

If I have a vendor or a system that relies on that, I can tell you 
that they will have active engagement in discussions, learning from 
the experts and from each other, and that information flows back 
towards government through the CERT. I think there have to be 
market-based incentives, and that is why we have started with the 
insurance program; that is why we are working with risk manage- 
ment; that is what we are trying to do with the anchor system, 
with trusted partners in other countries. 

We actually when we began the Internet Security Alliance made 
a conscious decision really not to be involved with government. 
That was before 9-11. Post-9-11, it is obvious that industry, re- 
gardless of on which continent it resides, has to be engaged some- 
what in this system. So I think there is not only increased aware- 
ness, but I think there is increased willingness to participate and 
not to be as concerned about the privacy of their data or what their 
receiving from government. It is not going to be quite as biased. 

The last point I would make, if we could, it needs to be inclusive, 
not exclusive. There is a concern that a certain incumbency or 
PDD-63, whatever the foundation happened to be, that that is the 
model that is the model and will be the model. I think we need to 
explore a lot of different models. I think that is what Mr. Dacey 
and others have been saying. There are some that have worked 
quite well. We have gone beyond the basic information sharing to 
a whole new level. But if for some reason our members were cut 
off from that information flow, I think it would affect not only their 
business, but I think it would affect the security of the Internet. 

Ms. Lofgren. Is there legislation that we could adopt that would 
assist in providing incentives or disincentives to accomplish what 
you have outlined here? 

Mr. McCurdy. Government is usually quicker to have disincen- 
tives than they are incentives, especially in fiscally difficult times. 
I am sure there could be a combination. We would like to see it on 
the incentive side, because actually that is where our CEOs and 
others respond. There are research incentives. There could be in- 
centives for implementing or employing certain technologies. There 
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is the FOIA concern. There is liability, safe harbor kinds of issues 
that obviously provides some incentives. 

Mr. Putnam had drafted legislation that he considered intro- 
ducing. I think it was originally intended to be around the Y2K 
model, which worked. Unfortunately, it was starting to look more 
like Sarbanes-Oxley, which is a burden on industry, and actually 
you would get pushed back, and if anything you would actually 
deter people from being more open and responsive. 

So we would like to find the right approach. Mr. Clinton, who is 
our chief operating officer, is going to testify later today before that 
committee, about some of the market-based incentive packages that 
we have developed. As far as I know, we are the only ISAC or in- 
formation-sharing group or organization out there that has even 
gone that far. But we have gone beyond just best practices. We 
have published those and we are creating more. 

Ms. Lofgren. I have seen those. 

Mr. McCurdy. Yes. That is actually where government, if there 
was going to be funded and people talked about where this money 
is going to go, distribution actually costs money, in getting that 
out. We just produced one for small businesses. Who bears that 
cost? Those are our natural constituency, quite frankly, in my asso- 
ciation, but we decided we had invested a great deal of money in 
the Internet Security Alliance to get it started and up and running. 
Ms. VanDe Hei mentioned the need to protect some of that private 
investment. Well, there has been a significant investment, and not 
always willingly, some of it because of my experience really push- 
ing the industry to be on the cutting edge and up front before I 
think even some recognized that there was a threat. Now, they are 
starting to see it a little bit more. 

Ms. Lofgren. I will stop and let the Chairman ask his questions, 
but isn’t it true that certainly there is a burden to participating in 
the ISACs on the part of any entity, private or public, just in terms 
of the personnel costs and the time taken from other tasks. That 
is a burden that may be easier to bear for a larger entity than a 
small entity. For a small business, that can become a daunting, in 
addition to the fees, just participating, and for a threat that is in- 
choate. There may not really be the business incentive. So it may 
not be occurring. So there is a cost to disseminating the informa- 
tion, but disseminating the information without incentives to actu- 
ally implement is another issue, whether there would be insurance 
benefits, which has been discussed, or other benefits that would 
allow a small business person or persons or a small company to ac- 
tually justify the expense and time away from other bottom-line ac- 
tivities. 

Mr. McCurdy. We learned a great deal in developing the best 
practices document for small businesses. On one level, they are 
similar vehicles. I mean, they are using the Internet, but their ca- 
pability and their access to personnel, policies, technology is far dif- 
ferent. You are right. It is a hurdle for many, not only in just cost, 
but also time. It is a real challenge to find the right incentive to 
get them involved. 

We learned from some of our partners, our founding members, 
VISA for instance has what they call the digital dozen. They are 
in a different modality. They are able to require their merchants 
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to meet certain practices. One of our other members, Nortel, has 
considered, I do not know if they have implemented, and I probably 
should not be speaking for them, but they want their supply chain, 
they want their suppliers to be at a certain level of security. So 
they are encouraging them not only to belong to Internet Security 
Alliance, but also to meet certain best practices. 

So there are a lot of companies and a lot of entities are doing it 
differently, but that does not mean it is not as good. Actually, I 
think that diversity is part of the strength. The question is, what 
is the partnership? All we are asking is that whether it is DHS or 
other entities within the government, that they are open and that 
they continue to build on the experience that we have been able to 
gain. 

Ms. Lofgren. Thank you, Mr. Chairman, for allowing me all 
that extra time. 

Mr. Thornberry. I thank the gentlelady for some excellent ques- 
tions. 

Ms. VanDe Hei, let me ask you, you have heard and you are fa- 
miliar with Mr. McCurdy’s organization. Does the ISAC Council 
have a position on whether other cross-cutting organizations or in- 
formation-sharing organizations are good and should be brought 
into the system in some formal way? What, if any, position does the 
ISAC Council have about that? 

Ms. VanDe Hei. The ISAC Council, like I mentioned, wants to 
be inclusive, rather than exclusive, so we have gone from 8 to 14. 
Basically what it takes is for somebody from that particular infor- 
mation-sharing organization to come and talk to us about what 
they do. I am not aware of anyone being turned away. 

Mr. Thornberry. But you do not have, that meets regularly with 
the ISAC Council do you, some sort of a cross, I am using cross- 
sector, but you know what I am trying to say, companies in dif- 
ferent businesses that may share a concern over cyber security in 
this case. Nobody like that sits at the table with you, do they? 

Ms. VanDe Hei. I guess I am not quite understanding the ques- 
tion, in that all the ISACs that sit around the table represent dif- 
ferent sectors. 

Mr. Thornberry. Right. 

Ms. VanDe Hei. So I sit next to the electric sector, and water 
depends upon electric. And I sit next to the railroad people, and 
water depends on the railroad. So we have set up communications 
between each other so that when something happens like in the 
power outage, we were able to talk to the electric sector and to the 
transportation folks about how long the outage would continue. So 
maybe I am missing something. 

Mr. Thornberry. I understand. ISACs are organized by sectors, 
and Mr. McCurdy’s basic point is that maybe that is not the only 
way to organize; that you could have other organizations that cut 
across different kinds of businesses that could add an element to 
this debate. I do not want to give his arguments for him, but 
maybe you could even argue that if you are not strictly organized 
by sector, you would be more likely to share information because 
it is not your competitors that are setting right there with you. 
There are other pros and cons. I am just trying to figure out wheth- 
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er the ISAC Council has formally taken a position on these other 
kinds of organizations. 

Then Mr. Dacey, I want to get to you and see whether you have 
analyzed these different ways of organizing ourselves. Part of what 
concerns me is we could be here 5 years from now and still be talk- 
ing about different ways to organize ourselves, and we may not 
have really done anything. So in some respects, we have to do 
something even if it is imperfect just to move the ball a little bit. 

Do you have anything else? Then I will go to him. 

Ms. VanDe Hei. There is no barrier to a group like Mr. McCur- 
dy’s from joining the ISAC Council at all. You do need to be aware 
there is another group of sector coordinators that have met under 
the PCIS, Partners for Critical Infrastructure Security. That group 
is predominantly cyber-focused and brings together companies from 
all different, Cisco, you name it, they are part of this coordinating 
group. The ISAC Council meets with them regularly now as well, 
so that we are sure that the sectors are looking at the bigger pic- 
ture; that the ISACs are in tune with what they are doing. So we 
have begun to meet jointly to ensure that. But just to answer your 
question, there is no barrier with an ISAC that does things dif- 
ferently from joining the ISAC Council and perhaps informing us 
about how better to do things. “Evolving” has been maybe overly 
used today, but we are looking for ways to do this better. 

Mr. Thornberry. Yes, absolutely. 

Mr. Dacey, what can you help us with here? 

Mr. Dacey. I think, again not to be too trite about the“evolving,” 
but I think things have changed a lot and there are continuing de- 
velopments and very positive things have happened. When this 
first started in PDD-63 it in fact envisioned one ISAC for every- 
body, and then it was quickly determined that really a sector-based 
approach would be more appropriate at that time. 

There are some benefits that we have identified in talking to a 
lot of people and working in this area for a while. First of all, there 
is a significant amount of industry-level expertise that exists that 
is very important for the analysis side of this whole equation. So 
I think you have to factor in how you get that sector-level, indus- 
try-level expertise for the various sectors; how some of these 
threats translate into impact. 

I think also there are established and building trust relation- 
ships within those sectors, because people know each other. A lot 
of them are in associations where there is always some affinity and 
some aggregation of interests. So I think there is some benefit, too, 
there in terms of that trust relationship, which I think is very crit- 
ical to this whole process. They are unique at this point in meeting 
the sector needs. 

At the same time, the ISAC Council is a relatively recent event 
on the spectrum of timelines since we started this inl998. I think 
the opportunity exists for them to start sharing with each other 
and breaking down those silos. I think that is particularly impor- 
tant in an area that has not been talked about, but not extensively 
pursued. I know it is on everybody’s radar screen, and that is inter- 
dependencies. That will drive the discussion of the need to work to- 
gether and it will be in everyone’s self-interest. I do not think we 
are quite there yet. I think we need to evolve to that point so ev- 
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eryone really understands how is my sector affected by that sector, 
so I care about what they are doing. 

Second, the sharing and getting together can bring about a lot 
of good practices that are really out there and that can help others 
and benefit everyone across the community. It is fair to say that 
some of these ISACs have been more at the forefront than others. 
They have been around a long time. Some of them have a long- 
standing relationship with the Federal Government, which has 
been a step up for many of them. 

So I think in answer to the question, you need to keep that in- 
dustry-level expertise and trust relationship, and you need to fig- 
ure out ways to start bringing them together collectively. I think 
that started at the ISAC level. It is starting at the sector coordi- 
nated level. I think that needs to be built up over time. The ques- 
tion is, how much time and who is in the best position to do that. 
I would leave it up to Ms. VanDe Hei just to talk a little bit about 
where they see it going, but that is my view personally on the way 
that needs to develop. It needs to be integrated in the end, so there 
is no silo. 

Ms. VanDe Hei. Could I make one statement? 

Mr. Thornberry. Sure. 

Ms. VanDe Hei. It was the primary purpose for the ISAC Coun- 
cil to come together to talk about interdependencies and how we 
might work together, but this brings up another area where you 
could help us, in that I found in talking with the intelligence com- 
munity, whether it was with the FBI or now with DHS, that they 
tend to be as stovepiped as we are or when looking at a threat. If 
it is a threat to electric, then it is an electric threat, and not nec- 
essarily a water threat or not somebody else’s threat. So bringing 
together their analysts that look at the different sectors and having 
them look together in terms of the interdependencies and what the 
threats might be to them, I think is a fairly new phenomena. I am 
not sure it is taking place very well. 

So I think as they begin to look at things in an interdependent 
way, that information will be coming to us in that way as well. 

Mr. Thornberry. I think that is an excellent point. It is part of 
what raises these questions in my mind. For example, if you have 
an issue related to electricity, it goes, say, to the electricity ISAC 
and the people who regulate it are going to be focused on it. But 
what about all the customers of electricity? How can they prepare 
for some eventuality? 

Cyber is another example which cuts across every sector, which 
makes it, I will not say unique, but I think has some particular 
characteristics. I suspect this is why Mr. McCurdy’s organization is 
focused on cyber. I do not know how many others there are like 
that, telecommunications, electricity, cyber, probably cut across just 
about everybody. But some way, we have to consider not just the 
producer side, but the consumer side of these ISACs. I am not sure 
we are there yet. 

Mr. McCurdy? 

Mr. McCurdy. Mr. Chairman, actually that is a great point. 
There is one interdependency now. There is one continuum, and 
that is we are hooked up to the network. The Internet has become 



93 


that glue. So cyber is a cross-cutting modality that I think we need 
to be concerned about. 

The other is, there has been a history with the regulated indus- 
tries. Why is the FS-ISAC more mature? Because they have been 
in a regulated industry, or you look at some of the others. Part of 
our concern was, as I sat in PCIS and other meetings, oftentimes, 
and I know the industry well, most of our members in the associa- 
tion, you usually had security people in a room talking to security 
people about what the threats were, as opposed to engaging the 
consumer and the user. That is why we shifted our focus. I think 
that has been the maturation of the Internet Security Alliance. 
That is why we have companies like Coca-Cola. They are not de- 
pendent upon one factor or another. They are a user of the Inter- 
net. 

Ms. VanDe Hei. Water. 

Mr. McCurdy. Water, OK. Yes, we are all dependent upon 
water. We are 98 percent water, right? 

[Laughter.] 

But the key is that there has to be, the Internet is the inter- 
dependency, but it is also the one area that is least regulated. So 
back to the question that Ms. Lofgren asked earlier, what is the 
way that you are able to engage the users in as deregulated a way 
as possible. I think that is the approach clearly that you have had 
working from your district in California in that industry, is you do 
not want to go to the old telecom model or to another model. You 
are trying to find a way to engage people in the Internet world. 
That is why we have to look at incentives. That is why your indus- 
try leaders are standing up every day saying here are some things 
that we ought to be looking at. 

Mr. Thornberry. This is an interesting conversation. I do not 
want to continue on forever, but that does make me think to a crit- 
ical point that Mr. Dacey includes in his report citing the ISAC 
Council that says the greatest barrier to information sharing stems 
from the practical and business considerations that although it is 
important, the benefits are kind of hard to get your hands around, 
but long-term it gets back to Ms. Lofgren’s point that maybe the 
national interest. It is more amorphous and the rubber does not 
really hit the road until something happens, and that is part of our 
challenge, I think, in trying to sort our way through all this. 

Mr. McCurdy. We have actually looked at three areas, if I could, 
Mr. Chairman. 

Mr. Thornberry. Sure. 

Mr. McCurdy. What is going to get the C-level interest? Sure, 
regulation will step up there and taxes would. But I think it is 
clear that they are interested from a marketing standpoint, and 
there are some market advantages. They are looking at a cost 
standpoint and potential liability. If we can help reduce their liabil- 
ity by becoming a qualified member, which is what we are trying 
to do, and this is where the maturation has occurred. You cannot 
be a qualified member if you do not have some way to measure 
that, and so you need some metrics. That is why we are working 
with the consortia on global security to develop metrics and tools 
so that we can actually have the benefits like insurance and re- 
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duced potential liability. So there are a number of these things that 
we are working on. 

Mr. Thornberry. And those would be metrics set by some orga- 
nization, not set by government regulation or law that would freeze 
them in place. 

Mr. McCurdy. That is exactly right. 

Mr. Thornberry. OK. 

Let me turn to slightly different issues, if I may. Ms. VanDe Hei, 
you were patiently here listening to a lot of questions go to the De- 
partment, Mr. Liscouski, earlier about vulnerability assessments 
and what they are doing. What is your overall view, or what is the 
overall view of the ISAC Council, if you can, about where the De- 
partment is, not just in giving out information that it has, but in 
receiving information from the various sectors. 

Ms. VanDe Hei. I think the flow of information from the various 
ISACs is, I would not say it is limited, but it is different depending 
on the ISAC in question. I think that for some ISACs that are, my 
ISAC is made up primarily of publicly owned entities. Most drink- 
ing water and waste water systems are publicly owned. So the 
sharing of information with the government is not new to these 
people or with each other, because they do not compete with each 
other. So that is a fairly easygoing sort of sharing of information. 

For some of the other sectors, it is proprietary information. Am 
I getting at your question? 

Mr. Thornberry. Yes, yes. 

Ms. VanDe Hei. It is more difficult to share with the govern- 
ment. Mr. Liscouski talked about the new CII program which is in- 
tended to provide the private sector with some place to put sen- 
sitive information or proprietary information and expect some con- 
fidentiality or protection to that information. I think the proof will 
be in the pudding on whether or not that program is sufficiently 
protective that it actually gets information from entities or the pri- 
vate sector that is concerned about that. 

So I guess I cannot speak for all of the ISACs, but I suspect that 
the sharing of information is very different depending on whether 
you have competition, that you have trade secrets, that there are 
things you want protected. 

Mr. Thornberry. It goes a little bit to the point made earlier 
that more regulated industries are in a different situation than less 
regulated industries. 

Mr. Dacey, what is your perspective on how far along the Depart- 
ment is as far as getting and receiving information? 

And second, do you think it is clear for an industry to whom they 
report information? It is not at all clear to me, for example, if the 
water industry says, well, we have talked and we think we may 
have a little problem here. Who do they go tell it to? Is the struc- 
ture within the Department such that the answer to the second 
part of that question is clear? 

Mr. Dacey. Two things, I think unquestionably there has been 
a lot of effort and actions being taken by the Department to try to 
address a lot of the issues that have been understood as being chal- 
lenges going forward. Again, Mr. Liscouski elaborated on quite a 
number of those activities earlier today. I think things are improv- 
ing. We are hearing about regular meetings taking place from both 
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sides. With ISACs and the Department, there is more and more 
sharing of information. 

I think the critical issues, though, get down to a couple of things 
that need to be done. We talk about that in our testimony. That 
is, I think the roles and responsibility of all the respective players 
deserves to be clarified a bit. I know we have this national infra- 
structure protection plan that is due out by the end of this calendar 
year. I realize it is being built up on a sector basis and it will be 
issued. I think it is going to be important that that lay out some 
of those roles and responsibilities, as well as initiatives, clear mile- 
stones, something that you all as Congress can look at in an over- 
sight capacity and measure progress, some of the things that you 
need to see, well, when are we going to have this or that; is that 
the right strategic direction for the Department to take across 
these wide variety of areas we have all been discussing today. 

At this point, we do not have that. We have had interaction and 
discussion with the Department, and they have shared with us 
their thoughts and ideas, but to a large extent we do not believe 
that is immortalized in writing so that somebody can independ- 
ently look at it and understand and evaluate the process. Again, 
I do not want to insinuate that they are not doing things. It is just 
that we have not seen it documented in a way that it could be inde- 
pendently reviewed. 

The other part of that is really coming up with the detailed pro- 
cedures and policies. If you look at HSPD-7, that was one of the 
charges that the Department was supposed to develop those to help 
clarify, including the issues that you talked about. Who do you re- 
port to? In our discussions with the Department, they indicated 
that they were not going to try to make everyone go through one 
single point in the Department because they felt if that person was 
not available or could not get through, it would be problematic. 
Some of the cyber issues would seem to naturally go to the NCSD, 
which is the Cyber Security Division, and we know the ISACs have 
those issues. They indicated that they were developing processes or 
planned to develop process to coordinate within the Department 
the contact information as it comes in so that if it came in one 
place, the other people who needed to know would know. But I do 
not think that is in place today. 

I do think there is some confusion from what have heard about 
who to talk to and who to report to. Again, as with anything, there 
are some trust relationships that are probably built up over time 
in certain parts of different organizations in the government that 
people would probably prefer to contact. We need to figure out a 
way to make that easier, and set up kind of a policies, procedures 
and clarity in what is the expectations are for that contact. 

Mr. Thornberry. Mr. McCurdy, go ahead. 

Mr. McCurdy. Yes, just one quick point on cyber. Cyber, again, 
is a little different as far as sharing information. I have found even 
at the international level the one trusted organization that people 
are more willing to enter into discussions with regard to threats 
and vulnerabilities has been the CERT/CC. However, our concern 
is the timeliness of the information as they change the nature and 
move to the U.S. CERT. I think there is a concern that it will be- 
come too large and too bureaucratic. Right now, it works reason- 
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ably well because there is not only a trust relationship, but there 
are ongoing dialogue and conversations beyond just the threat 
warnings. It goes to what does it actually mean. 

Eventually, we want to get out of the reactive mode into the pre- 
vention mode, where we can work with our industry and say, if you 
take these prophylactic steps, or if you do this, then you are better 
protected against potential threats or attacks regardless of the na- 
ture. 

One last point on that, we have members that are members of 
ISACs, Financial Services ISAC, the IT ISAC, and they have be- 
come more involved with us primarily because of the value add on 
top of just information. It is the value add that is going to be to 
them the most important, when they have to go justify their cost 
to their bosses, and those value adds are again, the market-based 
incentives, the best practices, the public policy, just letting them 
know what is going on is critical, too. 

Mr. Thornberry. Actually, you anticipated the question I was 
going to get to next, and that is, as U.S. CERT comes along, do 
some of your members have concerns that it is too much of a gov- 
ernment agency in order to have that sort of trust relationship con- 
tinue that they have had with the Carnegie Mellon CERT? 

Mr. McCurdy. It is interesting. The CERT/CC when it was origi- 
nally Carnegie Mellon, was a hybrid. It was funded by government, 
but it was actually run by an academic institution. We in industry 
when we all saw this triangle, we had government, academic and 
industry, there was a lot of friction there and concern about how 
well they actually could work together. I think our experience has 
been over time that we have been able to overcome the worst 
things of academia and the worst parts of government mentality 
and probably some of the worst instincts in industry, to have a 
working relationship. 

That is what I think our members are most concerned about is 
losing that synergy that has evolved. It is going to take some time. 
What we would like to hear from you all, what we are hoping to 
hear from Amit Yoran and Bob Liscouski and others is that first 
of all we are not going to break what is already working with a 
very successful organization, and that is access to the CERT data, 
just like the ISACs are going to have through the U.S. CERT. That 
is a baseline for us. Once we know that, then we are entering into 
additional relationships with Carnegie Mellon because they are cre- 
ating what they call a CyLab to take it to another level of trying 
to add value. 

What happens to U.S. CERT? We have all been involved with 
government. You have to conduct very close oversight, not on 
whether it meets timelines and all that, which is critical, but also 
what are the tendencies towards creating more and more bureauc- 
racy, become more risk-averse, less open, less cooperative. Those 
are the concerns that we have as big institutions start to emerge. 
When that occurs, when it becomes a bureaucracy, watch industry 
go the other way. Then you are going to have to regulate to get 
them involved. Right now, it is not there, but if we are not careful, 
if we do not work with them, you could end up with that result. 

Mr. Thornberry. The problem is, once you see that happening, 
it is too late. 
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Mr. McCurdy. Yes. 

Mr. Thornberry. It is hard to reverse. 

Mr. McCurdy. You are in a different situation. This is not the 
1940’s. This is a work in progress and the fact that you are having 
these having these hearings, there needs to be dialogue. I think 
your staff is having those dialogues. If a government entity learns 
anything from a hearing like this, and that is, they need to hear 
the questions and what is behind the questions. The questions are 
not always artfully phrased, but there is a genuine concern behind 
those. 

Mr. Thornberry. Something is going on. 

Mr. McCurdy. That something is going on. That is where this 
dialogue is critical. 

Mr. Thornberry. That is right. 

Ms. VanDe Hei, let me get back to you just to clarify. If the 
water folks got together and said, oh, we have this problem that 
we have not told anybody about. Would it be clear to you who in 
the Department of Homeland Security to go talk to about it? 

Ms. VanDe Hei. No. Yes, and no, OK? They have a watch unit 
that you can call an 800 number and report an incident or a num- 
ber of incidents to. I actually had experience with trying to do that. 
This is not particularly sensitive information, but there were seven 
to ten utilities in the Northeast that received threatening letters 
postmarked the same place. So I gave that information to DHS and 
to the WaterlSAC analyst. I waited a couple of days and did not 
hear anything back. So I called. I was told that it had been dis- 
missed; that they did not deem it to be credible, I guess. I asked 
on what basis and that sort of stuff. 

But I am not confident at all, one, that I reached the right peo- 
ple, or two, that it was reviewed in a way that made sense. Two 
weeks later, I got a call from the police department in New York 
State that had not dismissed the letters. So no, it is still a maze 
and I think that there are a number of places where you can call 
and refer things, but I do not have a comfort level that I hit the 
right place or that it was reviewed. It might have been, it is just 
that that is a secret to me. 

Mr. Thornberry. I think a lot of people have that concern, not 
just for immediate information that you have, but in trying to look 
at an industry and say, OK, what are some vulnerabilities; maybe 
we better talk to somebody about it. You never know. Do you go 
to the IA; to you go to the IP; how does all that work. 

Ms. Lofgren? 

Ms. Lofgren. Just one final question. This has been very help- 
ful. I know it is a long day to sit there, but it has been very helpful 
to me to hear what you have had to say. It is really for Mr. Dacey 
since you reviewed all of this. I will use water as an example, but 
I think it is equally true for any of the sectors. 

You have people involved in, say, a water wholesaler in Santa 
Clara County, the water district. They know water more than they 
know terrorism. Unless they are reading Tom Clancy novels to fig- 
ure out what could go wrong, they may see a vulnerability, but it 
may not be what the Department of Homeland Security might see. 
We know, taking water again, because of delusion, putting a sub- 
stance in the Crystal Spring Reservoir is not something I am going 
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to lose any sleep over because it is going to be diluted. It is not 
going to be effective. But what the Department of Homeland Secu- 
rity might, for example, see as a threat to water would be pollu- 
tion, say, if you dumped some PCBs in Crystal Springs Reservoir. 
It would not really kill you, but it would disrupt the distribution 
of water in a way that is significant and serious and have a huge 
economic impact. The water wholesalers might not see that, but 
DHS might. Theoretically, they are doing a list of what we should 
be worried about. How is that list being assembled and how is it 
being communicated to the various sectors to guard against the 
Tom Clancy novel scenarios? Or is it? 

Mr. Dacey. I cannot speak exactly to what they are doing in that 
regard. I can say from a standpoint of what direction I think needs 
to be taken and is being taken, is that even starting in 1998 the 
idea was that the sector coordinators and at that point lead sectors, 
now sector-specific agencies were to sit down and look at 
vulnerabilities on a sector basis, the kind of high-level 
vulnerabilities. What are the types of risks and threats? I think 
Mr. Liscouski talked about that earlier this morning. And assess 
them and determine how significant they are, again, not at an enti- 
ty level, but at a sector level. 

I am not familiar with how far they have gotten in that process. 
In theory, some of that will be addressed through these sector 
plans that are being part of this national infrastructure protection 
plan, but perhaps you might get more specifics on the water. 

Ms. Lofgren. I was just using that as an example. 

Mr. Dacey. As to how the water sector is involved in that proc- 
ess, so you might be able to provide some information. 

Ms. Lofgren. You could have the same question about electricity 
or banking or Internet technology. 

Mr. Dacey. Right. But that has been again on the books since 
PDD-63. We have had some initial strategies that came out from 
many of the sectors, but I do not think they have dug down to that 
level in detail about specific vulnerabilities and going through a 
formal assessment of the risks related to those. 

Ms. VanDe Hei. For the water sector, in addition to the utilities 
doing a vulnerability assessment, EPA was required to do a threat 
document that was distributed to every water system that served 
over 3,300 people. So they tried to bring the two together so that 
people would have something to assess their vulnerabilities 
against. That kind of document, as far as I am aware of, has not 
come out of DHS, and the one from EPA was done a couple of years 
ago, and I think could use some improvement. 

I think you would hear from DHS that providing threat guidance 
is one of the hardest things they have to do, because it is a moving 
thing, it is a moving target. What is the threat today to D.C. versus 
what is the threat someplace else tomorrow or the day after? I am 
not aware of any document like that that is available, but it is 
needed. It is desperately needed. 

Ms. Lofgren. All right. Thank you, Mr. Chairman. 

Mr. Thornberry. Thank you. 

I have just two or three final questions I would like to ask. Mr. 
McCurdy, there are lots of articles in the press today about a re- 
ported new vulnerability on the Internet. The Department had 
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issued a warning about it on Tuesday. We are in the middle of 
something. How do you see where we are at being able to get infor- 
mation out and to do something to fix a vulnerability, now that we 
are kind of in the middle of one of these episodes? 

Mr. McCurdy. First of all, there have been four in the last cou- 
ple of weeks. The one that was listed in the paper about TCP obvi- 
ously got headlines because there is an announcement by a British 
citizen that I think is having a press conference or something. In 
most instances, the vulnerability is communicated prior to even the 
threat level. In some instances, we worked literally months with 
our trusted members, including the vendors, to address the vulner- 
ability prior to it becoming released. That is this whole sensitivity 
of who actually gain access. That is why you do not make it all 
public. 

Now, it is true sometimes we get something reported on CNN be- 
fore we do CERT, but that is generally not the case. If you look at 
the numbers of vulnerabilities and threats that are being reported 
to the CERT, it has gone up exponentially every year. It is over 

100.000 threats that are reported this year and probably 5,000 or 

6.000 vulnerabilities. Vendors can go crazy with those things and 
there is this tension between the vendors and the users, and what 
is the appropriate reporting period and how do you assess this and 
how do you get them the opportunity to try to address it before it 
becomes public. 

It is not just a question, as I said earlier, of just the threat re- 
porting. It is true. It is out. What is really critical is how the re- 
ports are made. I have examples of those that we sent to our mem- 
bership. It not only identifies the threat, and we do digests of lists 
of all the recent ones, and how you can go into a secure site in 
order to understand it better. But it talks about the vulnerability 
on the systems affected, the overview, the description of what it is, 
which sometimes is very lengthy and for many of us we could not 
understand a word it says; the impact. But more importantly, there 
is a solution. That is where you need the time and this trust rela- 
tionship. The solutions often come from that communication with 
the industry. 

When we are talking information sharing and people say it is 
proprietary and they do not want to release it, it is usually general 
counsel’s that are kind of sending that message, the lawyers are 
out there saying that. But the people who work it every day, when 
they have this conference call that we have and they are saying, 
well, this is how we are dealing with it; boy, lights go on or this 
is how the experts at Carnegie Mellon or Southern Cal or Purdue 
are dealing with it. And then obviously they say apply a patch from 
your vendor. Well, that is an easy solution sometimes. 

It is pulling all those people together that I think we have 
evolved to the point we now have that working. That is why some 
of our industry members are willing to pay so much for that. It is 
also why some of the other companies are sitting out there glad 
that they are paying that and are doing that because they are get- 
ting a free ride off of them. But then once you get that threat infor- 
mation, how do you develop the practices to ensure against it in 
the future and get out of the reactive mode. 
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Mr. Thornberry. Let me ask, to just get back to the central 
focus of this hearing, which you raised. Do any of you see a step 
that Congress needs to take to better protect, whether it is private 
sector data or whatever, related to critical infrastructure? Part of 
this, we are still feeling our way through. The protections we have 
already granted, is that enough? But at this stage in the pro- 
ceedings, is there some additional step that you see that we need 
to take in order to help develop this trust relationship to share that 
information? 

And if you do not, say no. I am just curious at this stage whether 
you do. 

Mr. Dacey. Yes, just to step back a bit. A few years ago we re- 
ported on a lot of the concerns by the private sector with the FOIA 
and civil liability and antitrust being three of the primary areas of 
concern at that point. Certainly in the deliberations of Congress, 
you put provisions in the Homeland Security Act which provided 
certain protective measures forFOIA and those have embodied 
themselves in the CII process. Again, it is not a final rule that is 
in place. I think it will take a little time to figure out if that is ade- 
quate or not. So I do not know that I would rush to change that 
dynamic at this point until we see. Obviously, one of the issues gets 
back to risk. There has to be a benefit perceived in sharing that 
information as opposed to a potential downside that might exist. So 
I think that some of that will take time. 

In terms of some of these other issues, I think, again I would go 
back to a comment that I made earlier that I think it is important 
that some of the strategies and some of these plans be laid out, and 
that be in full cooperation with the private sector and state and 
local governments. That is happening now and I hope it happens 
well, but it needs to be fully bought into by all those parties. As 
part of that process, I would hope they would be identifying along 
the way issues as you discussed, where legislative relief is appro- 
priate or would benefit them. I think that would be the best proc- 
ess to follow. 

If you get all these heads together, you are going to come up with 
a good list and then you can consider whether you want to deal 
with that collectively. At the top of my head, I do not have any just 
glaring issues that need to be addressed from a legislative stand- 
point, but that is certainly one area to think about going forward. 
Again, that is supposed to be out this fall, and it is going to be crit- 
ical that all the players join in on that effort. I am hoping that that 
will happen. 

Mr. McCurdy. Without that final rule on FOIA, there is not the 
communication. The communication also has to be a two-way 
street. Mr. Liscouski used the magic words, probably because that 
is what we are preaching to them. Do not expect just to have pri- 
vate industry tell you all the vulnerabilities, and then have it go 
off into some massive organization never to get reported back or 
some affirmation that it was useful or not. If it is just that flow, 
then it will be cut off. That information will not flow. 

The other thing just from being on both sides of these tables, I 
think effective oversight is a neglected art and I think you are 
doing it here. Do not just think you have to have a bill. It is always 
fun to have our names on legislation, but I think following up regu- 
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larly and, you do not have to beat them up, but it has to be a com- 
munication, and it too has to be two-way. They need to be sensitive 
to that. 

It certainly would help if this committee becomes a permanent 
committee that the different lanes of jurisdiction are addressed, be- 
cause I feel for these individuals in government who spend all their 
time trying to deal with stakeholders. They are hearing from us in 
the private sector, but they are hearing from you as the overseers, 
as the board in effect, and they cannot do it all. I do not care how 
big the staff is. The more staff that they have, the more staff that 
you will have, the more requests that get going back and forth. 

So I think there has to be some good on-record conversations and 
there probably has to be some good off-the-record field discussions 
that take place. I always found those to be the most interesting 
and informative. We would invite you, by the way, there are facili- 
ties nearby. I know you have seen a number of those, but in the 
cyber world that are quite remarkable. Seventy percent of the 
world’s Internet flows just a few miles from here. Some of our 
members, where it is a VeriSign or at the very hub or the old Cable 
and Wireless, which is now another company, but they control a lot 
of the critical nodes. They are the pulse of a lot of activity that is 
pretty amazing. It takes a very professional set of wisdom and ex- 
perience in order to understand what that all means as it goes 
through. Government is not going to do that. That is in the private 
sector. 

So I would encourage you to do what you are doing. I would en- 
courage you to reach out to industry more because industry does 
not understand always your drive from a national security perspec- 
tive. They are market-driven, but the market can work in favor of 
national security if we have the right kind of exchange, and we 
would welcome that. 

Mr. Thornberry. Thank you. 

Ms. VanDe Hei? 

Ms. VanDe Hei. I guess I would suggest that perhaps the bioter- 
rorism bill that was passed in June 2002 had some protections in 
it for the vulnerability assessments that needed to be submitted to 
EPA that were stronger than in the homeland security bill. In fact, 
there were criminal penalties attached to misuse of the informa- 
tion. I think that you might want to tighten up that part of the leg- 
islation to add to the comfort level of some of the private sector. 
It certainly did give some comfort to the drinking water systems 
because they do feel fairly vulnerable. 

The other thing I would like to add, though, to Mr. McCurdy, is 
that your oversight of the Department, I think it is very important 
that Homeland Security needs to be done differently than any of 
the other departments and how they work. We are regulated by 
EPA and we know how that works and what the thought process 
is. But security cannot, I think, succeed in the same sort of bureau- 
cratic stovepipe kind of thinking. What I see as the Department 
grows, when somebody says to me, hi, I am so and so and I have 
been in the government for 30 years, my comfort level does not go 
up that it is going to be done differently. So I think it is really im- 
portant that you keep an eye on keeping it lean and mean and that 
they are doing things in a way that is different, so that regulation 
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is not the only answer that you see down the road. I think that can 
be done and I think it is important that we try to do that before 
going in any other direction. 

Mr. Thornberry. I appreciate all three of you and your valuable 
insights. It has been very helpful for me. I appreciate your willing- 
ness to be before us. I also appreciate your willingness to answer 
some written questions if there are follow-up things that we need 
to submit. 

With that, this hearing stands adjourned. 

[Whereupon, at 2:34 p.m., the subcommittees adjourned.] 

o 



